From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eric Abrahamsen Newsgroups: gmane.emacs.bugs Subject: bug#28489: Acknowledgement (27.0.50; eieio-persistent slot type validation should be a bit smarter) Date: Fri, 29 Sep 2017 13:31:59 -0700 Message-ID: <87vak16ybk.fsf@ericabrahamsen.net> References: <87lglcn8dt.fsf@ericabrahamsen.net> <878th1i50l.fsf@ericabrahamsen.net> <87wp4lf1kq.fsf@users.sourceforge.net> <87ing4cd04.fsf@ericabrahamsen.net> <87h8vnftnx.fsf@users.sourceforge.net> <87zi9fxvnh.fsf@ericabrahamsen.net> <8760c2fike.fsf@users.sourceforge.net> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1506717256 9408 195.159.176.226 (29 Sep 2017 20:34:16 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 29 Sep 2017 20:34:16 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.60 (gnu/linux) To: 28489@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Fri Sep 29 22:34:10 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dy1z3-0001Vi-Em for geb-bug-gnu-emacs@m.gmane.org; Fri, 29 Sep 2017 22:34:05 +0200 Original-Received: from localhost ([::1]:37013 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dy1zA-0003PE-V7 for geb-bug-gnu-emacs@m.gmane.org; Fri, 29 Sep 2017 16:34:12 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48247) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dy1z4-0003P9-2M for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 16:34:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dy1z0-0001Pt-1W for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 16:34:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:59248) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dy1yz-0001Pm-Uk for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 16:34:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dy1yz-00026e-Or for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 16:34:01 -0400 X-Loop: help-debbugs@gnu.org In-Reply-To: <87lglcn8dt.fsf@ericabrahamsen.net> Resent-From: Eric Abrahamsen Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 29 Sep 2017 20:34:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28489 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.15067172318077 (code B ref -1); Fri, 29 Sep 2017 20:34:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 29 Sep 2017 20:33:51 +0000 Original-Received: from localhost ([127.0.0.1]:39696 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dy1yp-00026D-1T for submit@debbugs.gnu.org; Fri, 29 Sep 2017 16:33:51 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:57206) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dy1yn-000261-FQ for submit@debbugs.gnu.org; Fri, 29 Sep 2017 16:33:49 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dy1yh-0001Kz-64 for submit@debbugs.gnu.org; Fri, 29 Sep 2017 16:33:44 -0400 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:57151) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dy1yh-0001Ku-2v for submit@debbugs.gnu.org; Fri, 29 Sep 2017 16:33:43 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48169) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dy1yf-0003Nh-Pv for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 16:33:42 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dy1yb-0001JV-PN for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 16:33:41 -0400 Original-Received: from [195.159.176.226] (port=58631 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dy1yb-0001JE-IM for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 16:33:37 -0400 Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dy1yR-0006sO-Ve for bug-gnu-emacs@gnu.org; Fri, 29 Sep 2017 22:33:27 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 44 Original-X-Complaints-To: usenet@blaine.gmane.org Cancel-Lock: sha1:noDISJ0k2lgo4Ott7G2zCcZNmjg= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:137647 Archived-At: Noam Postavsky writes: > Eric Abrahamsen writes: > >> Essentially it is validating twice, both before and after the actual >> objects are created. I don't have a very firm grasp of all the code >> involved, but in principle I would prefer just to eval all object >> construction forms regardless, and then let it blow up at "real" >> validation time -- it was going to blow up anyway. > > Hmm, yeah, it does look the prevalidation is mostly redundant work. The > docstring of eieio-persistent-convert-list-to-object mentions malicious > code, perhaps the prevalidation should be with unsafep (i.e., don't try > to typecheck anything, just make sure it's safe to eval). This would > require that object constructors could be marked safe though. That sounds like the right solution. I've never looked at unsafep.el, and don't know exactly how it works, but in principle I think object creation should be "safe". Of note: 1. Strings read from the persistence file are already stripped of properties. 2. Slot values are simply validated by type. I don't think eval is called anywhere, though I'd be happy to try to make sure of this. 3. Object creation could run malicious code *if* someone had overridden `initialize-instance' or `shared-initialize', and injected random hard-drive-destroying code. But I don't think this malicious code could be included in a persistence file itself (that's worth looking in to). I don't know how close that gets us to "safe". >> But again, my patch or something like it would be enough to get >> everything working as advertised. > > Right. I think your patch is probably fine, though a few tests might a > good idea too. I might as well write tests that exercise the whole eieio-persistent round-trip: create a few test objects, write them to a tmp file, and read them back as objects. Thanks, Eric