bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HOW CAN I STOP THIS NOVICE MODE STUFF?

From: Michael Schierl
Subject: Re: HOW CAN I STOP THIS NOVICE MODE STUFF?
Date: Tue, 25 Dec 2007 23:32:41 +0100
User-agent: 40tude_Dialog/2.0.14.1 
On Tue, 25 Dec 2007 09:45:07 -0800, Bruce Korb wrote:

> "anyone", I would hope :).  Perhaps I was mistaken.  I thought
> these incantations were constrained to setting buffer local
> variable values.  

Even if they were: there are some buffer-local variables (for syntax
highlighting for example) whose subexpressions are evaluated. And, there
are local hook variables which contain Lisp code as well. So, even if
enable-local-eval is disabled (as it is by default), you could use
"backdoors" to introduce your own Lisp code by setting the right local
variables.

Therefore, every local variable that is not marked as safe-local-variable
(by the packages that declares it) will cause an "annoying" warning (which
gives you an option to ignore it the next time). On the other hand, a
variable is marked as risky-local-variable, the option

!  -- to apply the local variables list, and permanently mark these
      values (*) as safe (in the future, they will be set automatically.)

will not show up, so you will be asked over and over.

So, to avoid these messages, the best way IMHO is to ask the package
maintainer to mark the variable you want to set in your local variables as
safe.

> If they can execute arbitrary emacs lisp code,
> then it sounds very Microsoft-like.  ``Let it be easy for
> content providers and painful to secure.''  If emacs has really
> become "that powerful" then there's nothing for it but to go
> back to old versions or back to vi.  I disliked vi in 1974,
> despite "ed" being the only competition.

You can disable the local variables stuff completely, if you think it is
too insecure.

> C.F. ``See "(info ...)" and "Ch-v v enable-local-variables'', I
> am afraid that does not address this issue.  Extracted from .emacs:
> 
>   (setq enable-local-variables    't)


a) you do not need to quote t, it will quote itself
b) t and :all is not the same
c) you do not need to quote :all either :)

You can add the variable and its value to safe-local-variable-values if you
do not want to allow all variables.

Michael
-- 
#!/usr/bin/perl -I' # tekscribble.pl - start in an xterm and scribble with mouse
$|=1;$g="\35";sub g{getc}sub p{print@_}system"stty -icanon";p"\233?38h";for(;;){
p"$g\33\32";$_=g;$x=g;$X=g;$y=g;$Y=g;last if/q/;$k=$y.chr((ord$Y)+64).$x.chr((
ord$X)+32);p"\33\14"if/c/;p$g.(/ì/?$l:$k).$k;$l=$k;}p"\33\3";system"stty icanon"
reply via email to
[Prev in Thread] Current Thread [Next in Thread]