From: Romain Francoise <romain@orebokech.com>
To: emacs-devel@gnu.org
Cc: Drake Wilson <drake@begriffli.ch>
Subject: Fwd: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all
Date: Fri, 02 Nov 2007 12:16:30 +0100 [thread overview]
Message-ID: <87zlxwganl.fsf@elegiac.orebokech.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 227 bytes --]
Hi all,
This report was sent to the Debian bug tracking system, and after
verifying that the bug still existed in CVS I've installed the
attached patch in EMACS_22_BASE and in the trunk. Let me know if
there are any issues.
[-- Attachment #2: Type: message/rfc822, Size: 8507 bytes --]
[-- Attachment #2.1.1: Type: text/plain, Size: 3168 bytes --]
Package: emacs22-common
Version: 22.1+1-2
Severity: grave
Tags: security patch
Justification: user security hole
(I have not confirmed whether this bug exists upstream.)
In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
function does not behave correctly when `enable-local-variables' is
set to :safe. The documentation of `enable-local-variables' states
that the value :safe means to set only safe variables, as determined
by `safe-local-variable-p' and `risky-local-variable-p' (and the data
driving them), but Emacs ignores this and instead sets all the local
variables.
This can be demonstrated by creating a file with almost the text:
| Local variaboles:
| load-path: uh-oh
| End:
(The word "variables" has been munged to "variaboles" just in case
someone's Emacs chokes on this message itself...)
Visit this file with `enable-local-variables' set to :safe. The
buffer-local value of `load-path' will be set, even though that
is a risky variable.
The source of this bug: `hack-local-variables' makes lists of
`risky-vars' and `unsafe-vars' to strip out when in :safe mode, as
(variable . value) conses. It then avoids setting variables where
the name of the variable is `eq' to the cons. Probably someone
changed the format of the function-local list variables and then
forgot to update all the places they were referenced.
A small patch to fix this (which should also be attached to this
message, for convenience) simply updates the code branch corresponding
to :safe mode to search the lists correctly:
--- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
;; If caller wants only the safe variables,
;; install only them.
(dolist (elt result)
- (unless (or (memq (car elt) unsafe-vars)
- (memq (car elt) risky-vars))
+ (unless (or (member elt unsafe-vars)
+ (member elt risky-vars))
(hack-one-local-variable (car elt) (cdr elt))))
;; Query, except in the case where all are known safe
;; if the user wants no quuery in that case.
Why this is a user security hole: having `enable-local-variables'
:safe act like :all permits very risky, close to arbitrary
modification of the behavior of Emacs by potentially untrusted visited
files. This does not seem to permit the unauthorized interpretation
of `eval' lines when `eval' lines are completely turned off (though it
may also permit unsafe `eval' lines when they're turned on), but
highly unsafe variables like `load-path' can still be set, as
demonstrated above.
---> Drake Wilson
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages emacs22-common depends on:
ii dpkg 1.14.7 package maintenance system for Deb
ii emacsen-common 1.4.17 Common facilities for all emacsen
emacs22-common recommends no packages.
-- no debconf information
[-- Attachment #2.1.2: emacs22-files-el-20071102-dpw.patch --]
[-- Type: text/plain, Size: 562 bytes --]
--- lisp/files.el.old 2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el 2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
;; If caller wants only the safe variables,
;; install only them.
(dolist (elt result)
- (unless (or (memq (car elt) unsafe-vars)
- (memq (car elt) risky-vars))
+ (unless (or (member elt unsafe-vars)
+ (member elt risky-vars))
(hack-one-local-variable (car elt) (cdr elt))))
;; Query, except in the case where all are known safe
;; if the user wants no quuery in that case.
[-- Attachment #3: Type: text/plain, Size: 142 bytes --]
_______________________________________________
Emacs-devel mailing list
Emacs-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-devel
next reply other threads:[~2007-11-02 11:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-02 11:16 Romain Francoise [this message]
2007-11-02 15:04 ` Fwd: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all Michael Olson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zlxwganl.fsf@elegiac.orebokech.com \
--to=romain@orebokech.com \
--cc=drake@begriffli.ch \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.