emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security flaw in enable-local-eval; new release plan


From: Herring, Davis
Subject: RE: Security flaw in enable-local-eval; new release plan
Date: Mon, 13 Aug 2012 12:45:33 +0000

>    (let ((safe (or (hack-one-local-variable-eval-safep
>                     (eval (quote val)))
>                    ;; In case previously marked safe (bug#5636).
>                    (safe-local-variable-p var val))))
> [...]
> It seems control reaches ‘eval’ before reaching the ‘:safe’ check, thus
> defeating the check.  Am i missing something?

The `eval' is of a `quote', so I don't know why it's not just `val'.  
Meanwhile, calling `safe-local-variable-p' for the `eval' pseudo-variable seems 
wrong to me, even though by default nothing is safe for it (and it would be 
insane to put an entry, nominally for `eval''s value as a variable, in 
`safe-local-variable-values').

Davis


reply via email to

[Prev in Thread] Current Thread [Next in Thread]