emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The `risky-local-variable' blacklist


From: Stefan
Subject: Re: The `risky-local-variable' blacklist
Date: 31 Aug 2004 10:01:03 -0400
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3.50

> (Apologies in advance for a long message, but this is a long issue.)
> While looking at diffs for `timeclock.el', I noticed the addition of a
> risk-local-variable declaration for "timeclock-mode-string".  This is
> certainly justified, but calls forth a bigger concern: is it wise to apply
> a 'trust by default' policy when such innocuous-looking variables as that
> mode-string can completely compromise a user's security (including
> modifying configurations for further attacks)?

Actually, for mode-line variables, the situation is a bit more complex:
the lack of "risky-local-variable" annotation was not introducing any kind
of security hole because when we interpret a mode-line-string, we discard
any "dangerous" element (such as "eval") unless the variable is marked as
"risky".  I.e. either we check its safety via the "risky" annotation or we
assume it's dangerous and we only use known-safe elements.

So the "risky" annotation was only added in order to enable potentially
dangerous things like "eval" in that variable.


        Stefan




reply via email to

[Prev in Thread] Current Thread [Next in Thread]