From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Wilfred Hughes <me@wilfred.me.uk>
Newsgroups: gmane.emacs.devel
Subject: Re: Avoiding arbitrary code execution with macroexpansion
Date: Wed, 22 Aug 2018 01:15:41 +0100
Message-ID: <CAFXAjY66dwPfCAhWAvMRKVjTKrguwbf4C2swge2UOdeqU0V9bw@mail.gmail.com>
References: <CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg@mail.gmail.com>
	<E1fraUU-0007Rx-DX@fencepost.gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: blaine.gmane.org 1534896856 28608 195.159.176.226 (22 Aug 2018 00:14:16 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Wed, 22 Aug 2018 00:14:16 +0000 (UTC)
Cc: emacs-devel <emacs-devel@gnu.org>
To: rms@gnu.org, Paul Eggert <eggert@cs.ucla.edu>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Aug 22 02:14:12 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fsGmp-0007J8-KI
	for ged-emacs-devel@m.gmane.org; Wed, 22 Aug 2018 02:14:11 +0200
Original-Received: from localhost ([::1]:56326 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fsGov-0002aC-Sy
	for ged-emacs-devel@m.gmane.org; Tue, 21 Aug 2018 20:16:21 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55767)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <me@wilfred.me.uk>) id 1fsGoj-0002a7-CP
	for emacs-devel@gnu.org; Tue, 21 Aug 2018 20:16:10 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <me@wilfred.me.uk>) id 1fsGoe-0003PY-3H
	for emacs-devel@gnu.org; Tue, 21 Aug 2018 20:16:08 -0400
Original-Received: from mail-qk0-x22d.google.com ([2607:f8b0:400d:c09::22d]:42351)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <me@wilfred.me.uk>) id 1fsGod-0003OI-NS
	for emacs-devel@gnu.org; Tue, 21 Aug 2018 20:16:03 -0400
Original-Received: by mail-qk0-x22d.google.com with SMTP id p71-v6so113681qka.9
	for <emacs-devel@gnu.org>; Tue, 21 Aug 2018 17:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=wilfred-me-uk.20150623.gappssmtp.com; s=20150623;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc; bh=Dvl2P+D95m86FsFBvYtpzhnXmgDVJfs849vmvfoGDTo=;
	b=j2XFoPwiCDAQf1pXNz1DqrOqJn9AM/Tr6HQDgbFEAbgp64oOiBtOgNWazJE6MXdhyj
	3BRRz8PLt3cgSk8rLnEgZ75rUg4TX3vkRX4no7sQsBBoSJCs/UvruId6q38HxB9jsWmW
	gNw8kowKUYdUcltKCEtFibj97HDjkS04rBya0F9ps6nQVSNPMl0wtiFHJ/PCv7SqWvZP
	Cl0fMJtbSJN5GRICmLsbw0MdYCNP3WtYgymy7tlf1FHtkHf4FEyy79pYk3ysiRVrNAoV
	W+Zq07OhLy1Smfy93T7+/qzJJpN9cFYLl/ViGxO8LmGruO9IbrjpiL8jnwM5eP1rgsaH
	3eAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc;
	bh=Dvl2P+D95m86FsFBvYtpzhnXmgDVJfs849vmvfoGDTo=;
	b=cXdJRnDaIKkCY7/O0chuMxZ689PRqG86caR3ZGFrXIlDo7nPZu9/eh4SL+/QxSyv/S
	ubo8yHPuaAT5l5rHj8PKsI3ty/xfqZ9L3Hr95kJgfLsvVdmAgdNgFO0r17Ziilm8RlXK
	79RBiG7GeRR1G8G8jBkGXRQWQhISV9fCp8ho7fTUknrSUsL7JkR4oHwHqyaEZbGDOTMY
	VAe6UDUPsLSuJs3NtHEQQI05dOx+Il279VKnwP5xB6uIfG0qw+6fXP/vGW9RrCxycTb7
	UtW7bY+TVRPhlTfAwV6HNy9zIiKm95PEE0oL6pc0uQmjFQoIyrjJNshe+MvKrY8YzT5p
	fUAg==
X-Gm-Message-State: AOUpUlFrKXbLqmykZ8r34lWRsD1VqZRZ92BO9QqXnOk2cPaMmRF2cF0e
	ApofxOTKY9wrgrHeX75ZQWqOT8+YHvNCduC7cm/CbBqXXK8=
X-Google-Smtp-Source: AA+uWPweuwrIIWmO1pD+LyyBxmPiSeZh5u09R2FGHh9cIaLwfI07VTfIykIzc49HMYKsPfCSqJYZd5RXM6dK+o1bNNY=
X-Received: by 2002:a37:8346:: with SMTP id
	f67-v6mr46692627qkd.18.1534896961554; 
	Tue, 21 Aug 2018 17:16:01 -0700 (PDT)
Original-Received: by 2002:aed:3305:0:0:0:0:0 with HTTP; Tue, 21 Aug 2018 17:15:41
	-0700 (PDT)
X-Originating-IP: [92.233.94.77]
In-Reply-To: <E1fraUU-0007Rx-DX@fencepost.gnu.org>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:400d:c09::22d
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:228794
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/228794>

> Sounds like it. I suggest constructing a complete, self-contained and hopefully easy way to reproduce
> the problem with emacs -Q, and sending it in a bug report to bug-gnu-emacs@gnu.org. Thanks.

Done, #32495.

> Perhaps doing an flet of eval and apply would work.

I tried that, but it would require using flet with every function that
can evaluate code directly (i.e. doesn't itself call eval). I'm not
sure of the full list. I tried this:

(cl-letf (((symbol-function 'eval) #'ignore)
          ((symbol-function 'eval-region) #'ignore)
          ((symbol-function 'eval-buffer) #'ignore)
          ((symbol-function 'backtrace-eval) #'ignore))
  (macroexpand-all some-arbitrary-form-here))

but I know this is missing a few functions, such as load and load-file.

On 20 August 2018 at 04:04, Richard Stallman <rms@gnu.org> wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > Using a macro that calls eval, such as eval-when-compile,
>   > eval-and-compile, c-lang-defconst-eval-immediately (undoubtedly others
>   > too), means anything can happen at macroexpansion time.
>
> Can we make macroexpand detect these cases and give an error?
> It would have to do a codewalk on the macro definition,
> but that is doable.
>
> Perhaps doing an flet of eval and apply would work.
>
>
> --
> Dr Richard Stallman
> President, Free Software Foundation (https://gnu.org, https://fsf.org)
> Internet Hall-of-Famer (https://internethalloffame.org)
>
>