From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel Subject: Re: [mwelinder@gmail.com: Emacs security bug] Date: Sat, 10 May 2008 18:16:55 +0300 Message-ID: References: <87mymy6wnq.fsf@stupidchicken.com> Reply-To: Eli Zaretskii NNTP-Posting-Host: lo.gmane.org X-Trace: ger.gmane.org 1210432669 17126 80.91.229.12 (10 May 2008 15:17:49 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 10 May 2008 15:17:49 +0000 (UTC) Cc: emacs-devel@gnu.org, mwelinder@gmail.com, simon@gnu.org To: Chong Yidong Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat May 10 17:18:27 2008 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1JuqqA-0004gv-H2 for ged-emacs-devel@m.gmane.org; Sat, 10 May 2008 17:18:26 +0200 Original-Received: from localhost ([127.0.0.1]:43031 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JuqpR-0007ld-Sm for ged-emacs-devel@m.gmane.org; Sat, 10 May 2008 11:17:41 -0400 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1JuqpN-0007lR-SB for emacs-devel@gnu.org; Sat, 10 May 2008 11:17:37 -0400 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1JuqpL-0007l0-1U for emacs-devel@gnu.org; Sat, 10 May 2008 11:17:37 -0400 Original-Received: from [199.232.76.173] (port=60025 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1JuqpK-0007kx-VE for emacs-devel@gnu.org; Sat, 10 May 2008 11:17:34 -0400 Original-Received: from mtaout7.012.net.il ([84.95.2.19]:21621) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1JuqpF-0004xG-V5; Sat, 10 May 2008 11:17:30 -0400 Original-Received: from HOME-C4E4A596F7 ([83.130.255.47]) by i-mtaout7.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0K0N0066OR01LG50@i-mtaout7.012.net.il>; Sat, 10 May 2008 18:00:02 +0300 (IDT) In-reply-to: <87mymy6wnq.fsf@stupidchicken.com> X-012-Sender: halo1@inter.net.il X-detected-kernel: by monty-python.gnu.org: Solaris 10 (1203?) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:96938 Archived-At: > From: Chong Yidong > Cc: Eli Zaretskii , emacs-devel@gnu.org > Date: Sat, 10 May 2008 10:50:17 -0400 > > Eli Zaretskii writes: > > > From: "Morten Welinder" > > > > 1. Create .emacs with contents > > (global-font-lock-mode t) > > (seq font-lock-support-mode 'fast-lock-mode) > > > > 2. Create foo.c with contents /* Nothing to see here */ > > > > 3. Create foo.c.flc with contents (message "Something to see here!") > > > > 4. Start Emacs and load foo.c > > > > - --> Observe that code from foo.c.flc is run. Not good. > > (This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to > > be adjusted.) > > > > Suggestions: > > > > a. Remove "." from fast-lock-cache-directories. Littering little > > files everywhere is not a good idea anyway. > > > > b. Don't use load to handle the .flc file. Instead read it into a > > buffer and read one s-expression at a time and verify that it is sane > > before evaluating it. > > Simon, could you take a look at this (you're listed as the author of > fast-lock.el)? Please keep Morten on the CC list of this thread. I don't want to have to forward messages back and forth forever.