[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#12155: 24.1; Potential Security Flaw with `enable-local-eval', `enab
|
From: |
Glenn Morris |
|
Subject: |
bug#12155: 24.1; Potential Security Flaw with `enable-local-eval', `enable-local-variables' |
|
Date: |
Tue, 07 Aug 2012 14:44:35 -0400 |
|
User-agent: |
Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) |
Thanks for the report. This issue is present in 23.2, 23.3, 23.4, 24.1,
and the current trunk, but not in 23.1.
I committed this patch to the emacs-24 branch.
I would appreciate it if others could check this.
This issue should also get an entry in test/automated to stop it recurring.
*** lisp/files.el 2012-07-01 16:38:53 +0000
--- lisp/files.el 2012-08-07 18:41:39 +0000
***************
*** 3107,3117 ****
;; Obey `enable-local-eval'.
((eq var 'eval)
(when enable-local-eval
! (push elt all-vars)
! (or (eq enable-local-eval t)
! (hack-one-local-variable-eval-safep (eval (quote val)))
! (safe-local-variable-p var val)
! (push elt unsafe-vars))))
;; Ignore duplicates (except `mode') in the present list.
((and (assq var all-vars) (not (eq var 'mode))) nil)
;; Accept known-safe variables.
--- 3107,3122 ----
;; Obey `enable-local-eval'.
((eq var 'eval)
(when enable-local-eval
! (let ((safe (or (hack-one-local-variable-eval-safep
! (eval (quote val)))
! ;; In case previously marked safe (bug#5636).
! (safe-local-variable-p var val))))
! ;; If not safe and e-l-v = :safe, ignore totally.
! (when (or safe (not (eq enable-local-variables :safe)))
! (push elt all-vars)
! (or (eq enable-local-eval t)
! safe
! (push elt unsafe-vars))))))
;; Ignore duplicates (except `mode') in the present list.
((and (assq var all-vars) (not (eq var 'mode))) nil)
;; Accept known-safe variables.