emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: address@hidden: Emacs security bug]

From: Chong Yidong
Subject: Re: address@hidden: Emacs security bug]
Date: Sat, 10 May 2008 10:50:17 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (gnu/linux) 
Eli Zaretskii <address@hidden> writes:

> From: "Morten Welinder" <address@hidden>
>
> 1. Create .emacs with contents
>     (global-font-lock-mode t)
>     (seq font-lock-support-mode 'fast-lock-mode)
>
> 2. Create foo.c with contents /* Nothing to see here */
>
> 3. Create foo.c.flc with contents (message "Something to see here!")
>
> 4. Start Emacs and load foo.c
>
> - --> Observe that code from foo.c.flc is run.  Not good.
> (This is with Emacs 21.3.1; XEmacs is also affected, although step 1 needs to
> be adjusted.)
>
> Suggestions:
>
> a. Remove "." from fast-lock-cache-directories.  Littering little
> files everywhere is not a good idea anyway.
>
> b. Don't use load to handle the .flc file.  Instead read it into a
> buffer and read one s-expression at a time and verify that it is sane
> before evaluating it.

Simon, could you take a look at this (you're listed as the author of
fast-lock.el)?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]