[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security problem in emacs

From: Georgi Guninski
Subject: Re: security problem in emacs
Date: Tue, 31 Dec 2002 17:42:59 +0200
User-agent: Mozilla/5.0 (X11; Linux)

Alfred M. Szmidt wrote:

   Is the new attached file also fixed?

Emacs CVS gives a warning about the code.

So since emacs CVS fixes at least 2 security bugs you may think about releasing a new version or at least patches.

   I suggest you disable local variables by default - they are not
   portable and some people use emacs for examining untrusted log
   files or read mail.

Disabling local variables completely seems silly.  Making Emacs warn
the user when running local-hook's or eval's is a far better idea;
which is done in CVS.  Local variables are very useful.

I continue to disagree that local variables on by default is a good idea, but am tired of arguing about it.
So here are some last arguments:
1. I found 2 security bugs on release version of emacs in less than week. How many left do you think are? Of course the idea of warning about eval or hooks seems good, but covering all cases of non-obvious evals in a large project is difficult task.

2. Lusers like micro$oft thought in the beginning that scripting in email/word is a good idea and it is sandboxed. Now it is off by default in their email products. Think about it.

3. Local variables are not portable accross editors, which makes them almost useless, unless every document has all the version of local variables for every editor.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]