[Erbot-discuss] Re: SECURITY FLAW: fs-apply, fs-funcall, etc.!

erbot-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Erbot-discuss] Re: SECURITY FLAW: fs-apply, fs-funcall, etc.!

From:	Deepak Goel
Subject:	[Erbot-discuss] Re: SECURITY FLAW: fs-apply, fs-funcall, etc.!
Date:	Mon, 27 Feb 2006 16:43:20 -0500
User-agent:	Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux)

Deepak Goel <address@hidden> writes:

> [security flaw] Discovered By lde @ #emacs

[...]

>
> please don't use erbot.  

I have fixed the bug, and believe that erbot is safe to use again.

However, following this shameful incident, also did this: turned off
all "add-on" afterthoughts like apply, setf, sregex, funcall, in fsbot
and in the default configuration of erbot.  Only the basic sandboxing
"eval" features remain enabled.  Most of them, barring 'apply and
'funcall were already off by default.  Also, a new valiable:

        * erbot.el (erbot-paranoid-p): Make this new variable a catchall
        for security. t by default.  No enablings like erbot-setf-p,
        etc. will work unless this is non-nil. If this is non-nil, erbot
        is paranoid, it will not allow apply, setf, funcall, sregex,
        etc. even if the corresponding variables are turned on.

[Prev in Thread]

Current Thread

[Next in Thread]

[Erbot-discuss] SECURITY FLAW: fs-apply, fs-funcall, etc.!, Deepak Goel, 2006/03/01
- [Erbot-discuss] Re: SECURITY FLAW: fs-apply, fs-funcall, etc.!, Deepak Goel <=

Prev by Date: [Erbot-discuss] SECURITY FLAW: fs-apply, fs-funcall, etc.!
Previous by thread: [Erbot-discuss] SECURITY FLAW: fs-apply, fs-funcall, etc.!
Index(es):
- Date
- Thread