[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Erbot-discuss] Re: SECURITY FLAW: fs-apply, fs-funcall, etc.!
From: |
Deepak Goel |
Subject: |
[Erbot-discuss] Re: SECURITY FLAW: fs-apply, fs-funcall, etc.! |
Date: |
Mon, 27 Feb 2006 16:43:20 -0500 |
User-agent: |
Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux) |
Deepak Goel <address@hidden> writes:
> [security flaw] Discovered By lde @ #emacs
[...]
>
> please don't use erbot.
I have fixed the bug, and believe that erbot is safe to use again.
However, following this shameful incident, also did this: turned off
all "add-on" afterthoughts like apply, setf, sregex, funcall, in fsbot
and in the default configuration of erbot. Only the basic sandboxing
"eval" features remain enabled. Most of them, barring 'apply and
'funcall were already off by default. Also, a new valiable:
* erbot.el (erbot-paranoid-p): Make this new variable a catchall
for security. t by default. No enablings like erbot-setf-p,
etc. will work unless this is non-nil. If this is non-nil, erbot
is paranoid, it will not allow apply, setf, funcall, sregex,
etc. even if the corresponding variables are turned on.