Re: eval and security

help-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: eval and security

From:	tomas
Subject:	Re: eval and security
Date:	Mon, 24 Oct 2016 14:31:52 +0200
User-agent:	Mutt/1.5.21 (2010-09-15)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Oct 24, 2016 at 02:20:44PM +0200, Andreas Röhler wrote:
> Hi,
> 
> remember a saying like "avoid calls like (eval 'my-symbol) in
> lisp-code" as related to security issues.
> 
> Is there some reading to learn more? Maybe I'm mistaking something?

Perhaps because a randomly downloaded package can redefine 'my-symbol
to be something evil?

In any case, if you indirect your code through user-overridable
stuff (e.g. hooks), the least you can do is to use a defvar
marking the thing as "risky": then Emacs will do its best to
avoid changing it when the user doesn't expect it.

There's a chapter "Security Considerations" in the Emacs Lisp
manual[1].

regards

[1] 
https://www.gnu.org/software/emacs/manual/html_node/elisp/Security-Considerations.html
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlgN/zcACgkQBcgs9XrR2kalLwCfYv6yRyRAECNQ9zCepzgdZJqb
9gMAn2nR87fNoh5nzMqF+bGVi6FncgXc
=QPBI
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

eval and security, Andreas Röhler, 2016/10/24
- Re: eval and security, tomas <=
  - Re: eval and security, Andreas Röhler, 2016/10/24
  - Re: eval and security, Philipp Stephani, 2016/10/24
    - Re: eval and security, Andreas Röhler, 2016/10/25

Prev by Date: eval and security
Next by Date: Re: eval and security
Previous by thread: eval and security
Next by thread: Re: eval and security
Index(es):
- Date
- Thread