[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Emacs-diffs] /srv/bzr/emacs/emacs-24 r108098: * admin/bzrmerge.el (

From: Glenn Morris
Subject: Re: [Emacs-diffs] /srv/bzr/emacs/emacs-24 r108098: * admin/bzrmerge.el (bzrmerge-resolve): Disable local eval:.
Date: Fri, 10 Aug 2012 16:42:16 -0400
User-agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)

Stefan Monnier wrote:

> I had the impression that it only affects unusual configurations.

Non-default configs; don't know if I would say "unusual".

   (setq enable-local-variables :safe)

is all you need.

There were a few places in Emacs that use that setting (without setting
enable-local-eval to nil). I don't think any of them were obviously
exploitable though. The autoloads one is in theory:

mkdir /tmp/foo
cd /tmp/foo
cat <<EOF > foo.el
(setq foo t)

;; Local Variables:
;; eval: (shell-command "touch /tmp/OHDEAR")
;; End:

rm -f /tmp/OHDEAR

emacs-24.1 -Q -l autoload \
 --eval "(setq generated-autoload-file \"$PWD/loaddefs.el\")" \
 --batch -f batch-update-autoloads .

ls /tmp/OHDEAR

But I suppose no-one creates autoloads without also byte-compiling,
which could already eval arbitrary code.

But there could be some third-party code that binds
enable-local-variables to :safe around some operation, intending to make
things safer for the user, but actually doing the opposite.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]