From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Alex Kosorukoff Newsgroups: gmane.emacs.bugs Subject: bug#17467: 24.3; locate-library returning spurious path Date: Sun, 11 May 2014 15:31:56 -0700 Message-ID: References: <3feh00ko79.fsf@fencepost.gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=089e011827522faab404f92767a2 X-Trace: ger.gmane.org 1399847602 10594 80.91.229.3 (11 May 2014 22:33:22 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 11 May 2014 22:33:22 +0000 (UTC) Cc: 17467 <17467@debbugs.gnu.org> To: Glenn Morris Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon May 12 00:33:15 2014 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1WjcJ1-0007CK-AK for geb-bug-gnu-emacs@m.gmane.org; Mon, 12 May 2014 00:33:15 +0200 Original-Received: from localhost ([::1]:34534 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WjcJ0-0002cL-GT for geb-bug-gnu-emacs@m.gmane.org; Sun, 11 May 2014 18:33:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:40469) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WjcIt-0002c7-8p for bug-gnu-emacs@gnu.org; Sun, 11 May 2014 18:33:12 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WjcIo-0000Kz-DM for bug-gnu-emacs@gnu.org; Sun, 11 May 2014 18:33:07 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:42460) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WjcIo-0000Ku-9h for bug-gnu-emacs@gnu.org; Sun, 11 May 2014 18:33:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1WjcIn-0003kG-Ri for bug-gnu-emacs@gnu.org; Sun, 11 May 2014 18:33:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Alex Kosorukoff Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 11 May 2014 22:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 17467 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 17467-submit@debbugs.gnu.org id=B17467.139984754614342 (code B ref 17467); Sun, 11 May 2014 22:33:01 +0000 Original-Received: (at 17467) by debbugs.gnu.org; 11 May 2014 22:32:26 +0000 Original-Received: from localhost ([127.0.0.1]:59811 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WjcID-0003jF-L5 for submit@debbugs.gnu.org; Sun, 11 May 2014 18:32:26 -0400 Original-Received: from mail-oa0-f41.google.com ([209.85.219.41]:48993) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1WjcIA-0003iz-VY for 17467@debbugs.gnu.org; Sun, 11 May 2014 18:32:23 -0400 Original-Received: by mail-oa0-f41.google.com with SMTP id m1so7332137oag.14 for <17467@debbugs.gnu.org>; Sun, 11 May 2014 15:32:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=TrxSMnoTrQBLMmX3HMUv19aKkicL7zm5C8letFCyqI8=; b=mvg6HGyC76bi1rjneNhf6HGZTNfbhASVQdzW1qmDmYd/JDy+BTziKdhCq35YNdVSCv Jc7PAInHYKGfuu9A2S7zI2061Y5BZmH7X7P/KtJLy+f3u5jicTfaCJEj0v2bdt7S1Jv4 jzoqYLrLAp52VOtyPS6IawS1TfIhLjGRBMZkVhNn96o5qep0AahnnSjnP50hsOTa4SPW 30yduYlDbmTCHc96TV5kGwdK1bF3royjg6nEs3+1jA1iqoLohTmrkLvMFnNSZQUmocfH WcMHxPjT2wxGiiJEoMYsmYYqSvKjpM1Zwtnmgyjj/xiwEpP/PrSxIAt3O7eLLoviBbsD SEUw== X-Received: by 10.60.102.198 with SMTP id fq6mr28843060oeb.6.1399847537058; Sun, 11 May 2014 15:32:17 -0700 (PDT) Original-Received: by 10.182.240.131 with HTTP; Sun, 11 May 2014 15:31:56 -0700 (PDT) In-Reply-To: <3feh00ko79.fsf@fencepost.gnu.org> X-Google-Sender-Auth: ehrs65wUy9dNIRHueZGlzaWmgms X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:88943 Archived-At: --089e011827522faab404f92767a2 Content-Type: text/plain; charset=UTF-8 I think you are overlooking something. If I notice a random tramp.el in some unusual place, I will investigate it right away because I know .el files can be executed by emacs. I wouldn't do it for a random data file without extension or a compressed .gz archive unless they have executable permission for some unknown reason. Data files are created by many applications and it is concerning me as long as no program I frequently use will execute them randomly. You can say that data files should never be in the load-path of emacs and I will agree with you. However, I can see scenarios when this can happen unintentionally. It would be careless not to try to add a simple safeguard to prevent this kind of execution. I did fix the proximal cause already, worked around this function and patched my emacs, so this bug doesn't affect me in any way now. Now I am trying hard to fix the root cause. This is why I reported this bug, shared my patches and addressed all valid concerns that were expressed here, even those that aren't that important for me personally. The most difficult part seems to be in persuading developers that this is an issue to be fixed. If I fail at this, I simply will be less confident in using emacs. On Sun, May 11, 2014 at 2:19 PM, Glenn Morris wrote: > Alex Kosorukoff wrote: > > > It can cause user inconvenience or pose a security/privacy issue > > because a random file named "tramp" or "tramp.gz" placed in some > > directory of the load-path can be loaded instead of the standard > > library without user knowledge. > > This argument does not fly, because if someone can write a "tramp" file > to a directory in your load-path, they can just as easily write > "tramp.el". Random files should not be being written to your load-path, > and you should not be adding inappropriate directories to that path. > Your immediate problem was having ~/.emacs.d in load-path. > --089e011827522faab404f92767a2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I think you are overlooking something. If I not= ice a random tramp.el in some unusual place, I will investigate it right aw= ay because I know .el files can be executed by emacs. I wouldn't do it = for a random data file without extension or a compressed .gz archive unless= they have executable permission for some unknown reason. Data files are cr= eated by many applications and it is concerning me as long as no program I = frequently use will execute them randomly. You can say that data files shou= ld never be in the load-path of emacs and I will agree with you. However, I= can see scenarios when this can happen unintentionally. It would be carele= ss not to try to add a simple safeguard to prevent this kind of execution.<= /div>

I did fix the proximal cause already, worked around this fun= ction and patched my emacs, so this bug doesn't affect me in any way no= w. Now I am trying hard to fix the root cause. This is why I reported this = bug, shared my patches and addressed all valid concerns that were expressed= here, even those that aren't that important for me personally. The mos= t difficult part seems to be in persuading developers that this is an issue= to be fixed. If I fail at this, I simply will be less confident in using e= macs.



On Sun, May 11, 2014 at 2:19 PM, Glenn Morris <rgm@gnu.org> wro= te:
Alex Kosorukoff wrote:

> It can cause user inconvenience or pose a security/privacy issue
> because a random file named "tramp" or "tramp.gz" = placed in some
> directory of the load-path can be loaded instead of the standard
> library without user knowledge.

This argument does not fly, because if someone can write a "tram= p" file
to a directory in your load-path, they can just as easily write
"tramp.el". Random files should not be being written to your load= -path,
and you should not be adding inappropriate directories to that path.
Your immediate problem was having ~/.emacs.d in load-path.

--089e011827522faab404f92767a2--