emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Risky local variable mechanism


From: Luc Teirlinck
Subject: Re: Risky local variable mechanism
Date: Mon, 6 Feb 2006 20:47:31 -0600 (CST)

There are some things I misunderstood about this problem, because the
documentation in the Elisp manual was misleading.  It seemed to
suggest that most of the variables and features in question affect
whether setting file local variables is allowed, whereas they only
determine whether setting them is affected by `enable-local-eval'.
If `enable-local-eval' has its default value 'maybe, the user gets
_asked_ whether to set the file local variables.  The lone exceptions
are the variables in `ignored-local-variables', which unconditionally
can not be set.  Another exception is that a user running as root can
not set file local variables to values controlled by
`enable-local-eval', regardless of the value of `enable-local-eval'.

So we are just talking about which variables to _warn_ the user about.
I personally have `enable-local-variables' set to 'query for ages and
I have never found these questions too inconvenient.

So why do we not play it super-safe and just set the default value of
`enable-local-variables' to 'maybe?  That would not require _any_ changes,
other than a bugfix to ses, for which I am about to submit a patch
anyway.  If a user wants to live more dangerously, he can always set
the value of enable-local-variables back to t. 

To understand the problem better myself, I rewrote the misleading
Elisp manual node.  I include a patch below.  If we are going to
completely change the mechanism (rather than just the default of
`enable-local-variables'), the patches below affect nodes that would
have to be completely rewritten after the changes anyway, but I could
install them if it could help other people understand the present
situation and hence the problem better.  The current node is
misleading.  So are several docstrings, but I did not rewrite those,
since if we would change the mechanism completely, this would be moot.

===File ~/custom.texi-diff==================================
*** custom.texi 05 Feb 2006 16:45:32 -0600      1.107
--- custom.texi 06 Feb 2006 17:53:59 -0600      
***************
*** 1196,1202 ****
    The @code{safe-local-eval-forms} is a customizable list of eval
  forms which are safe to eval, so Emacs should not ask for
  confirmation to evaluate these forms, even if
! @code{enable-local-variables} says to ask for confirmation in general.
  
  @node Key Bindings
  @section Customizing Key Bindings
--- 1196,1202 ----
    The @code{safe-local-eval-forms} is a customizable list of eval
  forms which are safe to eval, so Emacs should not ask for
  confirmation to evaluate these forms, even if
! @code{enable-local-eval} says to ask for confirmation in general.
  
  @node Key Bindings
  @section Customizing Key Bindings
============================================================

===File ~/variables.texi-diff===============================
*** variables.texi      06 Feb 2006 16:02:08 -0600      1.71
--- variables.texi      06 Feb 2006 20:12:58 -0600      
***************
*** 1774,1828 ****
    If a file local variable could specify a function that would
  be called later, or an expression that would be executed later, simply
  visiting a file could take over your Emacs.  To prevent this, Emacs
! takes care not to allow to set such file local variables.
  
!   For one thing, any variable whose name ends in any of
! @samp{-command}, @samp{-frame-alist}, @samp{-function},
! @samp{-functions}, @samp{-hook}, @samp{-hooks}, @samp{-form},
! @samp{-forms}, @samp{-map}, @samp{-map-alist}, @samp{-mode-alist},
! @samp{-program}, or @samp{-predicate} cannot be given a file local
! value.  In general, you should use such a name whenever it is
! appropriate for the variable's meaning.  The variables
! @samp{font-lock-keywords}, @samp{font-lock-keywords} followed by a
! digit, and @samp{font-lock-syntactic-keywords} cannot be given file
! local values either.  These rules can be overridden by giving the
! variable's name a address@hidden @code{safe-local-variable} property.
! If one gives it a @code{safe-local-variable} property of @code{t},
! then one can give the variable any file local value.  One can also
! give any symbol, including the above, a @code{safe-local-variable}
! property that is a function taking exactly one argument.  In that
! case, giving a variable with that name a file local value is only
! allowed if the function returns address@hidden when called with that
! value as argument.
  
!   In addition, any variable whose name has a address@hidden
! @code{risky-local-variable} property is also ignored.  So are all
! variables listed in @code{ignored-local-variables}:
  
! @defvar ignored-local-variables
! This variable holds a list of variables that should not be given local
! values by files.  Any value specified for one of these variables is
! ignored.
! @end defvar
  
  @defun risky-local-variable-p sym &optional val
! If @var{val} is address@hidden, returns address@hidden if giving
! @var{sym} a file local value of @var{val} would be risky, for any of
! the reasons stated above.  If @var{val} is @code{nil} or omitted, only
! returns @code{nil} if @var{sym} can be safely assigned any file local
! value whatsoever.
  @end defun
  
!   The @samp{Eval:} ``variable'' is also a potential loophole, so Emacs
! normally asks for confirmation before handling it.
! 
! @defopt enable-local-eval
! This variable controls processing of @samp{Eval:} in @samp{-*-} lines
! or local variables
! lists in files being visited.  A value of @code{t} means process them
! unconditionally; @code{nil} means ignore them; anything else means ask
! the user what to do for each file.  The default value is @code{maybe}.
! @end defopt
  
    Text properties are also potential loopholes, since their values
  could include functions to call.  So Emacs discards all text
--- 1774,1832 ----
    If a file local variable could specify a function that would
  be called later, or an expression that would be executed later, simply
  visiting a file could take over your Emacs.  To prevent this, Emacs
! normally queries you before setting such file local variables.
  
! @defopt enable-local-eval
! This variable controls processing of the @samp{Eval:} ``variable'' and
! other risky local variables in @samp{-*-} lines or local variables
! lists in files being visited.  A value of @code{t} means process them
! unconditionally; @code{nil} means ignore them; anything else means ask
! the user what to do for each file.  The default value is @code{maybe}.
  
! A user running as root can not set these risky variables, regardless
! of the value of @code{enable-local-eval}.
! @end defopt
  
!   Any variable whose name ends in any of @samp{-command},
! @samp{-frame-alist}, @samp{-function}, @samp{-functions},
! @samp{-hook}, @samp{-hooks}, @samp{-form}, @samp{-forms}, @samp{-map},
! @samp{-map-alist}, @samp{-mode-alist}, @samp{-program}, or
! @samp{-predicate} is subject to @code{enable-local-eval}.  In general,
! you should use such a name whenever it is appropriate for the
! variable's meaning.  @code{enable-local-eval} also affects the
! variables @samp{font-lock-keywords}, @samp{font-lock-keywords}
! followed by a digit, and @samp{font-lock-syntactic-keywords}.  These
! rules can be overridden by giving the variable's name a address@hidden
! @code{safe-local-variable} property.  If one gives it a
! @code{safe-local-variable} property of @code{t}, then the variable is
! only subject to @code{enable-local-variables}.  One can also give any
! symbol, including the above, a @code{safe-local-variable} property
! that is a function taking exactly one argument.  In that case, giving
! a variable with that name a file local value is only subject to
! @code{enable-local-eval} if the function returns address@hidden when
! called with that value as argument.
! 
!   In addition, any variable whose name has a address@hidden
! @code{risky-local-variable} property is also subject to
! @code{enable-local-eval}.
  
  @defun risky-local-variable-p sym &optional val
! If @var{val} is address@hidden, returns address@hidden if
! @code{enable-local-eval} affects giving @var{sym} a file local value
! of @var{val}.  If @var{val} is @code{nil} or omitted, only returns
! @code{nil} if @code{enable-local-eval} does not affect assigning
! @var{sym} any file local value whatsoever.
! 
! This function ignores the value of @code{ignored-local-variables} (see
! below), because Emacs ignores the variables in that list,
! @emph{regardless} of the value of @code{enable-local-eval}.
  @end defun
  
! @defvar ignored-local-variables
! This variable holds a list of variables that should not be given local
! values by files, regardless of the value of @code{enable-local-eval}.
! Any value specified for one of these variables is unconditionally ignored.
! @end defvar
  
    Text properties are also potential loopholes, since their values
  could include functions to call.  So Emacs discards all text
============================================================




reply via email to

[Prev in Thread] Current Thread [Next in Thread]