emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs Arbitrary Code Execution and How to Avoid It

From: Daniel Radetsky
Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It
Date: Tue, 10 Dec 2024 10:03:52 -0800 
On Fri, Dec 06, 2024 at 11:23:20PM -0500, Richard Stallman wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > I get it, though similar concepts are in many editors. As you said,
>   > "if flymake is enabled" which means that user enabling flymake should
>   > get informed of it.
>
> I firmly disagree.  For Emacs to spontaneously execute code in files
> that users did not say should be executed is simply unaccetable.

As I understand it, the issue is that the user has already
said "execute elisp code in any elisp-mode files," and that
it is common for the user to have said this. This is why the
reporter mentioned that popular emacs distros like doom
enable this behavior by default. I don't believe there was
any suggestion that vanilla emacs allowed this.

> Warning users that this may happen is not sufficient -- we need to
> _fix_ the problem.

If the user has already asked emacs to execute elisp, the
only thing that could IMO count as a fix is to _prevent_
them from doing this. Or at least to require that they
reconfirm that this is what they want when emacs wants to
execute the elisp, like with disabled commands.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]