all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Fwd: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all
@ 2007-11-02 11:16 Romain Francoise
  2007-11-02 15:04 ` Michael Olson
  0 siblings, 1 reply; 2+ messages in thread
From: Romain Francoise @ 2007-11-02 11:16 UTC (permalink / raw)
  To: emacs-devel; +Cc: Drake Wilson

[-- Attachment #1: Type: text/plain, Size: 227 bytes --]

Hi all,

This report was sent to the Debian bug tracking system, and after
verifying that the bug still existed in CVS I've installed the
attached patch in EMACS_22_BASE and in the trunk.  Let me know if
there are any issues.


[-- Attachment #2: Type: message/rfc822, Size: 8507 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 3168 bytes --]

Package: emacs22-common
Version: 22.1+1-2
Severity: grave
Tags: security patch
Justification: user security hole

(I have not confirmed whether this bug exists upstream.)

In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
function does not behave correctly when `enable-local-variables' is
set to :safe.  The documentation of `enable-local-variables' states
that the value :safe means to set only safe variables, as determined
by `safe-local-variable-p' and `risky-local-variable-p' (and the data
driving them), but Emacs ignores this and instead sets all the local
variables.

This can be demonstrated by creating a file with almost the text:

  | Local variaboles:
  | load-path: uh-oh
  | End:

(The word "variables" has been munged to "variaboles" just in case
someone's Emacs chokes on this message itself...)

Visit this file with `enable-local-variables' set to :safe.  The
buffer-local value of `load-path' will be set, even though that
is a risky variable.

The source of this bug: `hack-local-variables' makes lists of
`risky-vars' and `unsafe-vars' to strip out when in :safe mode, as
(variable . value) conses.  It then avoids setting variables where
the name of the variable is `eq' to the cons.  Probably someone
changed the format of the function-local list variables and then
forgot to update all the places they were referenced.

A small patch to fix this (which should also be attached to this
message, for convenience) simply updates the code branch corresponding
to :safe mode to search the lists correctly:

--- lisp/files.el.old	2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el	2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
 		;; If caller wants only the safe variables,
 		;; install only them.
 		(dolist (elt result)
-		  (unless (or (memq (car elt) unsafe-vars)
-			      (memq (car elt) risky-vars))
+		  (unless (or (member elt unsafe-vars)
+			      (member elt risky-vars))
 		    (hack-one-local-variable (car elt) (cdr elt))))
 	      ;; Query, except in the case where all are known safe
 	      ;; if the user wants no quuery in that case.

Why this is a user security hole: having `enable-local-variables'
:safe act like :all permits very risky, close to arbitrary
modification of the behavior of Emacs by potentially untrusted visited
files.  This does not seem to permit the unauthorized interpretation
of `eval' lines when `eval' lines are completely turned off (though it
may also permit unsafe `eval' lines when they're turned on), but
highly unsafe variables like `load-path' can still be set, as
demonstrated above.

   ---> Drake Wilson

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22.2 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages emacs22-common depends on:
ii  dpkg                          1.14.7     package maintenance system for Deb
ii  emacsen-common                1.4.17     Common facilities for all emacsen

emacs22-common recommends no packages.

-- no debconf information

[-- Attachment #2.1.2: emacs22-files-el-20071102-dpw.patch --]
[-- Type: text/plain, Size: 562 bytes --]

--- lisp/files.el.old	2007-11-02 04:23:58.000000000 -0500
+++ lisp/files.el	2007-11-02 04:26:51.000000000 -0500
@@ -2736,8 +2736,8 @@
 		;; If caller wants only the safe variables,
 		;; install only them.
 		(dolist (elt result)
-		  (unless (or (memq (car elt) unsafe-vars)
-			      (memq (car elt) risky-vars))
+		  (unless (or (member elt unsafe-vars)
+			      (member elt risky-vars))
 		    (hack-one-local-variable (car elt) (cdr elt))))
 	      ;; Query, except in the case where all are known safe
 	      ;; if the user wants no quuery in that case.

[-- Attachment #3: Type: text/plain, Size: 142 bytes --]

_______________________________________________
Emacs-devel mailing list
Emacs-devel@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-devel

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2007-11-02 15:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-02 11:16 Fwd: Bug#449008: emacs22-common: enable-local-variables :safe mode acts like :all Romain Francoise
2007-11-02 15:04 ` Michael Olson

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.