[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The `risky-local-variable' blacklist
From: |
Stefan |
Subject: |
Re: The `risky-local-variable' blacklist |
Date: |
31 Aug 2004 10:01:03 -0400 |
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.3.50 |
> (Apologies in advance for a long message, but this is a long issue.)
> While looking at diffs for `timeclock.el', I noticed the addition of a
> risk-local-variable declaration for "timeclock-mode-string". This is
> certainly justified, but calls forth a bigger concern: is it wise to apply
> a 'trust by default' policy when such innocuous-looking variables as that
> mode-string can completely compromise a user's security (including
> modifying configurations for further attacks)?
Actually, for mode-line variables, the situation is a bit more complex:
the lack of "risky-local-variable" annotation was not introducing any kind
of security hole because when we interpret a mode-line-string, we discard
any "dangerous" element (such as "eval") unless the variable is marked as
"risky". I.e. either we check its safety via the "risky" annotation or we
assume it's dangerous and we only use known-safe elements.
So the "risky" annotation was only added in order to enable potentially
dangerous things like "eval" in that variable.
Stefan