[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network security manager

From: Ted Zlatanov
Subject: Re: Network security manager
Date: Tue, 18 Nov 2014 13:22:11 -0500
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

On Tue, 18 Nov 2014 18:57:15 +0100 Lars Magne Ingebrigtsen <address@hidden> 

LMI> Ted Zlatanov <address@hidden> writes:

LMI> What are the security implications of inserting an image from a source
LMI> we can't validate?
>> Malicious binary payloads in images are quite common.  There are also
>> attacks/exploits/hacks that load Javascript from images.

LMI> I really hope we don't have any exploitable bugs in the image handling
LMI> code.

On many platforms (NS comes to mind) image handling happens before Emacs
knows about it.  So this is not necessarily an Emacs issue.

Here's a list of libpng (just picking one library out of many that Emacs
uses) CVEs: 

Do we care? I do, others may not. Regardless, I don't think Emacs should
choose to sometimes disregard the HTTP/S channel's security checks.  If
it does, it would be a rather unique web browser.

>> OK with me, that's a good solution for this particular case.  But there
>> will be others where you can't see the things that went wrong in the
>> background.  I suggested a modeline indicator previously... it's better
>> than silent failure, right?

LMI> Well...  No, annoying the user with things the user doesn't care about
LMI> is worse than silent failure.  >"?

I don't think a passive indicator e.g. in the modeline is annoying. If
you make the list of failures accessible somehow, the rest can be done
by add-ons, so we don't need to figure it out now.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]