From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#27986: 26.0.50; 'rename-file' can rename files without confirmation Date: Wed, 16 Aug 2017 10:19:35 -0700 Organization: UCLA Computer Science Department Message-ID: References: <61980dde-3d68-7200-e7f4-98f62e410060@cs.ucla.edu> <1002ee73-0ab5-409b-831f-0c283c322264@cs.ucla.edu> <83o9rignt6.fsf@gnu.org> <83d17whl72.fsf@gnu.org> <8e6de468-600c-4f2d-a21a-c2ff3a63d065@cs.ucla.edu> <83zib0g221.fsf@gnu.org> <2bb4b7ee-6bf9-df3d-5cd8-ae7992b9f2e7@cs.ucla.edu> <83wp64fdc4.fsf@gnu.org> <83valnfv9u.fsf@gnu.org> <7f0c12f6-57eb-63b9-c296-e062cbf0710c@cs.ucla.edu> <83o9rffqfp.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1502904051 30512 195.159.176.226 (16 Aug 2017 17:20:51 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 16 Aug 2017 17:20:51 +0000 (UTC) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 Cc: p.stephani2@gmail.com, 27986@debbugs.gnu.org To: Eli Zaretskii , Richard Stallman Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Aug 16 19:20:39 2017 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1di1zf-00073b-HJ for geb-bug-gnu-emacs@m.gmane.org; Wed, 16 Aug 2017 19:20:35 +0200 Original-Received: from localhost ([::1]:33713 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1di1zm-0005Wu-29 for geb-bug-gnu-emacs@m.gmane.org; Wed, 16 Aug 2017 13:20:42 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49630) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1di1zB-00050k-1s for bug-gnu-emacs@gnu.org; Wed, 16 Aug 2017 13:20:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1di1z7-0004wr-Sc for bug-gnu-emacs@gnu.org; Wed, 16 Aug 2017 13:20:05 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:60987) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1di1z7-0004wc-Pc for bug-gnu-emacs@gnu.org; Wed, 16 Aug 2017 13:20:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1di1z7-0001eI-H5 for bug-gnu-emacs@gnu.org; Wed, 16 Aug 2017 13:20:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 16 Aug 2017 17:20:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 27986 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 27986-submit@debbugs.gnu.org id=B27986.15029039856310 (code B ref 27986); Wed, 16 Aug 2017 17:20:01 +0000 Original-Received: (at 27986) by debbugs.gnu.org; 16 Aug 2017 17:19:45 +0000 Original-Received: from localhost ([127.0.0.1]:41435 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1di1yq-0001di-Te for submit@debbugs.gnu.org; Wed, 16 Aug 2017 13:19:45 -0400 Original-Received: from zimbra.cs.ucla.edu ([131.179.128.68]:34618) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1di1yp-0001dS-Cu for 27986@debbugs.gnu.org; Wed, 16 Aug 2017 13:19:43 -0400 Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 3489F160886; Wed, 16 Aug 2017 10:19:37 -0700 (PDT) Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id zhk-cZFv9l_N; Wed, 16 Aug 2017 10:19:36 -0700 (PDT) Original-Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 2E79616088C; Wed, 16 Aug 2017 10:19:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Original-Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id jD_xeZMbp6jq; Wed, 16 Aug 2017 10:19:36 -0700 (PDT) Original-Received: from [192.168.1.9] (unknown [47.153.184.153]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 0727D160886; Wed, 16 Aug 2017 10:19:36 -0700 (PDT) In-Reply-To: <83o9rffqfp.fsf@gnu.org> Content-Language: en-US X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:135831 Archived-At: Eli Zaretskii wrote: > Did you look at all the users of these functions in > our codebase? I have not looked at every single one in detail. I've looked at a fair sa= mple.=20 See below for more discussion. > E.g., I see at least one use of rename-file in Gnus > that moves a directory, possibly 2 such uses. Moving a directory is not a problem. The only problem is when the destina= tion is=20 a directory but not a directory name and the intent is to change an entry= in=20 that directory rather than to change the original destination. I agree that some uses in code will need to be adjusted. Most won't, thou= gh. For=20 example, in the first occurrence of the string "rename-file" in Gnus, whe= re=20 gnus-agent-rename-group calls (gnus-rename-file old-path new-path t), the= intent=20 is to rename OLD-PATH to NEW-PATH, not to rename it to be an subsidiary e= ntry to=20 NEW-PATH. For this particular example, the proposed change is slightly=20 beneficial, since it prevents rename-file from doing the wrong thing in t= he=20 (admittedly unlikely) event that some other process changes NEW-PATH to a= =20 directory while Gnus is operating. > What's more, some of the use cases will not even > signal an error after the change, they will instead silently do > something different from the previous versions, which is really bad. This should be quite rare. The only scenario I see matching your concern = is if=20 the source is a directory, the destination is not a directory name but is= an=20 empty directory and is not a symlink, and the destination is not a descen= dant of=20 the source. Although not impossible, this will happen so rarely that it d= oesn't=20 invalidate the proposed change. > At the very least, all the users in Emacs > should be audited and fixed as needed. Sure, I'll volunteer to do that. There are only 172 lines containing the = string=20 "rename-file" in our Emacs Lisp code base, for example, and it shouldn't = be that=20 much work to check them. I've looked at this issue fairly carefully, and I'm afraid the solution I= 've=20 proposed is the best way forward if we want to close the security hole in= Emacs.