Re: Emacs master, security concernes, ms-windows

[Eli Zaretskii]

> From: Fabrice Popineau <address@hidden>
> Date: Thu, 14 Sep 2017 09:58:36 +0200
> 
> Since there seems to be a lot of concerns wrt to security,
> I am submitting the attached patch.
> 
> The reason for this patch is to limit the search for dlls loaded at 
> runtime to the win32 system directory and/or the emacs application
> directory.
> In the current state, dlls can be picked up in any directory in the path.
> Some one could fake one of these dlls (xpm, png, etc.) and use it for
> mean reasons. 

I see your point, and I'm sympathetic to the concerns.  However, given
the accepted practices of installing packages on Windows, I don't
think we can do this by default.  Many times people install optional
libraries in separate directories and just add them to PATH.  Some
even install each individual package into its own directory.  I just
had a conversation off-list with one such user.  Disabling DLL look up
on PATH by default will completely screw up those users.

In addition, as others pointed out, this mode is not supported before
Vista, so we shouldn't pass that constant to LoadLibraryEx on systems
that don't support it, even if we accept such a feature as an optional
one.

Thanks.