[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Emacs Lisp's future
From: |
Mark H Weaver |
Subject: |
Re: Emacs Lisp's future |
Date: |
Tue, 07 Oct 2014 12:34:39 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.3.94 (gnu/linux) |
Andreas Schwab <address@hidden> writes:
> Mark H Weaver <address@hidden> writes:
>
>> However, if the overlong sequence came from the network, and Emacs
>> propagates it unchanged to internal subsystems[*] (e.g. via command-line
>> arguments to subprocesses), that's not good. It exposes another program
>> to invalid input -- a program that might not be designed for exposure to
>> possible attacks via overlong encodings.
>
> At least it doesn't make it worse (it is unchanged from the situation if
> you remove Emacs as a filter).
In the case of mere "filtering", you might be right in some cases.
However, the case I'm worried about is where some small piece of the
hostile input is extracted and passed as an argument to another program.
In cases like this it doesn't make sense to think of emacs as a
"filter", and you'd never be able to "remove" it.
It's like saying that a web application that passes unsanitized input to
an SQL query "doesn't make it worse", and that the situation is
unchanged from if you provided public access to the SQL database.
Mark
- Re: Emacs Lisp's future, (continued)
- Re: Emacs Lisp's future, Richard Stallman, 2014/10/07
- Re: Emacs Lisp's future, Richard Stallman, 2014/10/07
- Re: Emacs Lisp's future, David Kastrup, 2014/10/07
- Re: Emacs Lisp's future, Mark H Weaver, 2014/10/07
- Re: Emacs Lisp's future, Andreas Schwab, 2014/10/07
- Re: Emacs Lisp's future, David Kastrup, 2014/10/07
- Re: Emacs Lisp's future, Stephen J. Turnbull, 2014/10/07
- Re: Emacs Lisp's future, David Kastrup, 2014/10/07
- Re: Emacs Lisp's future,
Mark H Weaver <=
- Re: Emacs Lisp's future, David Kastrup, 2014/10/07
- Re: Emacs Lisp's future, Mark H Weaver, 2014/10/07
- Re: Emacs Lisp's future, David Kastrup, 2014/10/07
- Re: Emacs Lisp's future, Stephen J. Turnbull, 2014/10/07
- Re: Emacs Lisp's future, Mark H Weaver, 2014/10/07
- Re: Emacs Lisp's future, David Kastrup, 2014/10/08
- Re: Emacs Lisp's future, Mark H Weaver, 2014/10/08
- Re: Emacs Lisp's future, Eli Zaretskii, 2014/10/08
- Re: Emacs Lisp's future, David Kastrup, 2014/10/08
- Re: Emacs Lisp's future, Stephen J. Turnbull, 2014/10/08