[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Security flaw in enable-local-eval; new release plan
From: |
Herring, Davis |
Subject: |
RE: Security flaw in enable-local-eval; new release plan |
Date: |
Mon, 13 Aug 2012 12:45:33 +0000 |
> (let ((safe (or (hack-one-local-variable-eval-safep
> (eval (quote val)))
> ;; In case previously marked safe (bug#5636).
> (safe-local-variable-p var val))))
> [...]
> It seems control reaches ‘eval’ before reaching the ‘:safe’ check, thus
> defeating the check. Am i missing something?
The `eval' is of a `quote', so I don't know why it's not just `val'.
Meanwhile, calling `safe-local-variable-p' for the `eval' pseudo-variable seems
wrong to me, even though by default nothing is safe for it (and it would be
insane to put an entry, nominally for `eval''s value as a variable, in
`safe-local-variable-values').
Davis