Re: SES local variables to define printers

[Glenn Morris <rgm@gnu.org>]

I haven't quite followed what you are trying to do (I don't know what a
SES "printer" is), but as a general comment: please, please don't
(re)invent your own version of local variable handling unless you are
really, really sure you need special handling that is not provided by
normal file or directory local variables (or local eval). (And be really
careful if you do implement it, since it can be a security hole.)


Vincent Belaïche wrote:

> That sort of trick was to define a file local variable foo to a lambda
> expression defining a printer function, and then use the foo symbol as a
> printer when setting the printer for a cell.
[...]
> By the way, that kind of things was a security breach because you allow
> to call a function defined in the file without any control.

!!!

> Now, I would like to have again the same sort of feature in SES,

!!!

> so I did a quick hack herein attached 

!!!

"Security breach" + "quick hack" = fun times

> - is that possible to check that when a function is executing, that
>   takes a reasonable time, and if not to interact with the use and ask
>   whether he/she would like to double that time

   Your printer function `(lambda (arg) (shell-command "rm -rf /"))'
   has been running for 30 seconds.  Run for another 60?

Doesn't help much...

> +(defcustom ses-enable-local-variables nil
> +  "Non-nil if SES should process local-variables lists in ses buffers.

Why is this needed - what's wrong with the normal enable-local-variables?
Why should there be a special variable that controls local variables
only in SES files?

> +\(You can explicitly request processing the local-variables by
> +executing `(hack-local-variables)'). Local variables are useful
> +to define file local printers or values but raise a security
> +issue if the printer function is used to do border effects. If
> +you select `Filename test', then you should configure a function
> +symbol or lambda expression which takes one argument, then the
> +local variables are processed iff the buffer file name passed to

Don't use "iff" in doc strings.

> +this function returns a non nil. For instance you could configure:

"returns non-nil".

> +  (lambda (x)
> +    (string-match \"^/dir/where/local/var/are/allowed\" 
> +		  (expand-file-name x)))

Sounds like dir-locals.  Why not just use a dir-locals file?

> +"
> +  :type '(choice
> +	  (const :tag "No" nil)
> +	  (const :tag "Yes" t)
> +	  (function :tag "Filename test"))
> +  :group 'ses)

You would need to add

   :risky t

>        (functionp printer)
> +      (and (symbolp printer) (boundp printer) (functionp (symbol-value printer)))

What is this for?

> +	(and (symbolp printer)
> +	     (boundp printer)
> +	     (functionp (symbol-value printer))
> +	     (setq printer (symbol-value printer)))

? Likewise.

>  	(setq value (funcall printer (or value "")))
>  	(if (stringp value)
>  	    value
> @@ -1899,9 +1925,17 @@
>    (unless (and (boundp 'ses--deferred-narrow)
>  	       (eq ses--deferred-narrow 'ses-mode))
>      (kill-all-local-variables)
> +    (setq major-mode 'ses-mode)
> +    (and
> +     enable-local-variables
> +     ses-enable-local-variables
> +     (or (eq ses-enable-local-variables t)
> +	 (let ((bfn (buffer-file-name)))
> +	   (and (stringp bfn)
> +		(funcall ses-enable-local-variables bfn))))

Ironically, ses-enable-local-variables is itself a potential security hole...