Re: [Emacs-diffs] scratch/allow-custom-load-paths-in-elisp-flymake 4ef9711: Allow custom load paths in elisp's byte-compilation Flymake

[João Távora]

Stefan Monnier <address@hidden> writes:

>> +(put 'elisp-flymake-byte-compile-load-path 'safe-local-variable
>> +     (lambda (x) (and (listp x) (catch 'tag
>> +                                  (dolist (path x t) (unless (stringp path)
>> +                                                       (throw 'tag 
>> nil)))))))
>
> Just reminded me: we have a serious problem w.r.t security of
> flymake-mode in Elisp buffers: if someone enables flymake-mode for all
> elisp-mode buffers (i.e. what I'd like to do by default), the mere act
> of visiting an Elisp file means that file will be passed to byte-compile
> which will happily execute some of the code within, running arbitrarily
> dangerous code.

True.  And that's why we don't enable flymake-mode automatically, and
possibly never will (unless we come up with a solution).  The fact that
it is so inherently dangerous is the reason that I considered adding a
safety spec to elisp-flymake-byte-compile-load-path at all, because
having flymake-mode in elisp is already quite dangerous it itself.

But it does make it slightly *more* dangerous, because you can visit a
file that would otherwise be safe, but be betrayed by a .dir-locals.el
that spoofs the load-path to run some attacker's code.  Not sure if this
is a reasonable scenario.

So should I push this to master with or without the safety spec?

João