emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs Arbitrary Code Execution and How to Avoid It


From: Richard Stallman
Subject: Re: Emacs Arbitrary Code Execution and How to Avoid It
Date: Wed, 11 Dec 2024 23:48:19 -0500

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > As I understand it, the issue is that the user has already
  > said "execute elisp code in any elisp-mode files," 

Does the user literallky say that. or does the user say something
different which you _interpret_ as _tentamount_ to saying that?

It makes a big difference here.

  > If the user has already asked emacs to execute elisp, the
  > only thing that could IMO count as a fix is to _prevent_
  > them from doing this.

Preventng this is the sort of fix I have in mind.  But I have not yet
come across a message explaining precisely what user actions activate
that behavior.  Until I learn that, I won't fully understand the
issue.  I asked for that info, and I hope I soon come across a
response.

But it looks like this conequence came as a surprse.  So I think we
did not anticipate, when adding the feture, that it would have this
effect.  We did not intentinally add the feature as a way for users to
say, "Go ahead and randomly execute Elisp code from any of my visited
files."

If we actually want to offer a command by which the user says to
execute unpredictably parts of whatever Elisp files get visited, Emacs
should warn per that "this is dangerous" and ask per to confirm with
`yes'.  We should not let users risk stumbling into this mode without
knowing what care they will have to take in this mode.

But even wth understanding, it would be unwise to accept.  Everyone
who uses Emacs and looks at Emacs Lisp code will occasionally visit a
file of Elisp code which is _not_ part of per own work.  So even if
perse wants this feature for all of a certain project, perse could
fall into a trap by enabling it for _all_ Elisp files that are
visited.

THis leads me to think of settig up a more selective interface
whereby you would enable this for source files of a specific project.

Maybe that would give enough control that it could be safe and yet
still convenient.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)





reply via email to

[Prev in Thread] Current Thread [Next in Thread]