Re: CVE-2017-14482 - Red Hat Customer Portal

[Robert Thorpe]

Philipp Stephani <p.stephani2@gmail.com> writes:

> Eli Zaretskii <eliz@gnu.org> schrieb am So., 24. Sep. 2017 um 04:54 Uhr:
>
>> > From: Yuri Khan <yuri.v.khan@gmail.com>
>> > Date: Sun, 24 Sep 2017 03:50:51 +0700
>> > Cc: "help-gnu-emacs@gnu.org" <help-gnu-emacs@gnu.org>
>> >
>> > On Sun, Sep 24, 2017 at 12:34 AM, Eli Zaretskii <eliz@gnu.org> wrote:
>> >
>> > > Why are you visiting a file about which you know nothing at all?
>> >
>> > Why not? Opening a file in a text editor is not normally considered a
>> > hazardous activity.
>>
>> A file whose source you don't trust or are unfamiliar with should
>> initially be examined with find-file-literally, if your security is
>> indeed important for you.  That emulates what most other text editors
>> do when you open a file.
>>
>>
> That's an unrealistic requirement; nobody will ever do this. Emacs must
> make sure to never run untrusted code when visiting a file, unless the user
> explicitly asked for (via the enable-local-eval variable).

I think it would be very useful if Emacs had a concept of trusted-zones.

So, a person could declare their main local partition to be trusted.  Or
they could declare it to be trusted except for the browser cache (for
example).

They could declare a lower degree of trust for some directories or
mount-points.

BR,
Robert Thorpe