[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#37656: 27.0.50; Opening file with specially crafted local variables
From: |
Stefan Monnier |
Subject: |
bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x |
Date: |
Wed, 16 Oct 2019 09:13:43 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
> -*- mode: emacs-lisp; mode: flymake -*-
>
> (eval-when-compile
> (with-temp-file "~/emacs_flymake_security_bug"
> (insert "Could have also executed any code.")))
Yes, it's a serious (and, sadly, known) problem.
I think it goes further than just flymake support for Elisp: flymake
support for other major modes may also end up running arbitrary code
(tho it will depend on the specifics).
So, I think flymake should have a list of "safe" places where it can
treat files like it does know, and any file found elsewhere should be
treated with more care either by simply disabling flymake or disabling
some of its backends, or making its backends more careful (e.g. to
compile those files in a mode where `eval-when-compile` is not executed
or is only executed after passing it through a stringent safety test).
Stefan
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', (continued)
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Stefan Kangas, 2019/10/15
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Adam Plaice, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Phil Sainty, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Adam Plaice, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Adam Plaice, 2019/10/15
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Eli Zaretskii, 2019/10/16
- bug#37656: 27.0.50; Arbitrary code execution with special `mode:', Phil Sainty, 2019/10/15
bug#37656: 27.0.50; Opening file with specially crafted local variables can cause arbitrary code execution Inbox x,
Stefan Monnier <=