emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please rename trusted-content to trusted-contents


From: Stefan Monnier
Subject: Re: Please rename trusted-content to trusted-contents
Date: Tue, 24 Dec 2024 00:14:38 -0500
User-agent: Gnus/5.13 (Gnus v5.13)

The ensuing discussion makes me think the current identifiers are fine.


        Stefan


Stefan Monnier [2024-12-21 23:48:45] wrote:

>>>> so if he is okay with that name, we are not in a bad place.
>>> I'm copying in Stefan Monnier, in case he has any comments.
>> Indeed, I hesitated between `trusted-content` and `trusted-contents` but
>> not long enough to learn which is right.
>
> OK, I tried to figure it out, but at least the info I found wasn't
> very definitive.  It seems to have to do with whether it's countable or
> not, or whether it describe the "conceptual ideas" contained as opposed
> to the actual elements contained.
> I'm not sure which is more appropriate in this case and even less sure
> that one of the two is wrong.
>
> A related question is what to do with `untrusted-content` (which is the
> identifier with which I aligned mine).  If we rename `trusted-content`,
> we should likely rename `untrusted-content` as well (and this one
> would require a backward compatibility alias).
>
>> I'll rename it ASAP, thanks Richard!
>
> Here's the patch I came up with via `grep` (without renaming
> `untrusted-content`).
>
>
>         Stefan
>
>
> diff --git a/doc/emacs/misc.texi b/doc/emacs/misc.texi
> index 97a82747bfc..e0ce2233cfe 100644
> --- a/doc/emacs/misc.texi
> +++ b/doc/emacs/misc.texi
> @@ -298,9 +298,9 @@ Host Security
>  Flymake, completion, and some other features, unless the visited file is
>  @dfn{trusted}.  It is up to you to specify which files on your system
>  should be trusted, by customizing the user option
> -@code{trusted-content}.
> +@code{trusted-contents}.
>  
> -@defopt trusted-content
> +@defopt trusted-contents
>  The value of this option is @code{nil} by default, which means no file
>  is trusted.  You can customize the variable to be a list of one or more
>  names of trusted files and directories.  A file name that ends in a
> diff --git a/etc/NEWS b/etc/NEWS
> index 61cb66387bb..5ce4c3cd7f8 100644
> --- a/etc/NEWS
> +++ b/etc/NEWS
> @@ -200,7 +200,7 @@ see the variable 'url-request-extra-headers'.
>  * Changes in Emacs 30.1
>  
>  +++
> -** New user option 'trusted-content' to allow potentially dangerous features.
> +** New user option 'trusted-contents' to allow potentially dangerous 
> features.
>  This variable lists those files and directories whose content Emacs should
>  consider as sufficiently trusted to run any part of the code contained
>  therein even without any explicit user request.
> @@ -1871,7 +1871,7 @@ In the past they included a terminating newline in most 
> cases but not all.
>  +++
>  *** 'elisp-flymake-byte-compile' is disabled for untrusted files.
>  For security reasons, this backend can be used only in those files
> -specified as trusted according to 'trusted-content' and emits an
> +specified as trusted according to 'trusted-contents' and emits an
>  "untrusted content" warning otherwise.
>  This fixes CVE-2024-53920.
>  
> diff --git a/lisp/files.el b/lisp/files.el
> index 86eff296459..62905da1ee5 100644
> --- a/lisp/files.el
> +++ b/lisp/files.el
> @@ -714,7 +714,7 @@ untrusted-content
>  This variable might be subject to change without notice.")
>  (put 'untrusted-content 'permanent-local t)
>  
> -(defcustom trusted-content nil
> +(defcustom trusted-contents nil
>    "List of files and directories whose content we trust.
>  Be extra careful here since trusting means that Emacs might execute the
>  code contained within those files and directories without an explicit
> @@ -732,21 +732,21 @@ trusted-content
>    :type '(choice (repeat :tag "List" file)
>                   (const :tag "Trust everything (DANGEROUS!)" :all))
>    :version "30.1")
> -(put 'trusted-content 'risky-local-variable t)
> +(put 'trusted-contents 'risky-local-variable t)
>  
> -(defun trusted-content-p ()
> +(defun trusted-contents-p ()
>    "Return non-nil if we trust the contents of the current buffer.
>  Here, \"trust\" means that we are willing to run code found inside of it.
> -See also `trusted-content'."
> +See also `trusted-contents'."
>    ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
>    ;; to try and avoid marking as trusted a file that's merely accessed
>    ;; via a symlink that happens to be inside a trusted dir.
>    (and (not untrusted-content)
>         (or
> -        (eq trusted-content :all)
> +        (eq trusted-contents :all)
>          (and
>           buffer-file-truename
> -         (with-demoted-errors "trusted-content-p: %S"
> +         (with-demoted-errors "trusted-contents-p: %S"
>             (let ((exists (file-exists-p buffer-file-truename)))
>               (or
>                ;; We can't avoid trusting the user's init file.
> @@ -755,7 +755,7 @@ trusted-content-p
>                  (equal buffer-file-truename user-init-file))
>                (let ((file (abbreviate-file-name buffer-file-truename))
>                      (trusted nil))
> -                (dolist (tf trusted-content)
> +                (dolist (tf trusted-contents)
>                    (when (or (if exists (file-equal-p tf file) (equal tf 
> file))
>                              ;; We don't use `file-in-directory-p' here, 
> because
>                              ;; we want to err on the conservative side: 
> "guilty
> diff --git a/lisp/ielm.el b/lisp/ielm.el
> index 7511d4b02ae..da5ad992389 100644
> --- a/lisp/ielm.el
> +++ b/lisp/ielm.el
> @@ -580,7 +580,7 @@ inferior-emacs-lisp-mode
>         ielm-fontify-input-enable
>         (comint-fontify-input-mode))
>  
> -  (setq-local trusted-content :all)
> +  (setq-local trusted-contents :all)
>    (setq comint-prompt-regexp (concat "^" (regexp-quote ielm-prompt)))
>    (setq-local paragraph-separate "\\'")
>    (setq-local paragraph-start comint-prompt-regexp)
> diff --git a/lisp/progmodes/elisp-mode.el b/lisp/progmodes/elisp-mode.el
> index 17606352c4a..c48861712de 100644
> --- a/lisp/progmodes/elisp-mode.el
> +++ b/lisp/progmodes/elisp-mode.el
> @@ -451,7 +451,7 @@ elisp--local-macroenv
>  (defvar elisp--macroexpand-untrusted-warning t)
>  
>  (defun elisp--safe-macroexpand-all (sexp)
> -  (if (not (trusted-content-p))
> +  (if (not (trusted-contents-p))
>        ;; FIXME: We should try and do better here, either using a notion
>        ;; of "safe" macros, or with `bwrap', or ...
>        (progn
> @@ -1338,7 +1338,7 @@ lisp-interaction-mode
>  \\{lisp-interaction-mode-map}"
>    :abbrev-table nil
>    (setq-local lexical-binding t)
> -  (setq-local trusted-content :all))
> +  (setq-local trusted-contents :all))
>  
>  ;;; Emacs Lisp Byte-Code mode
>  
> @@ -2203,7 +2203,7 @@ elisp-flymake-byte-compile
>    "A Flymake backend for elisp byte compilation.
>  Spawn an Emacs process that byte-compiles a file representing the
>  current buffer state and calls REPORT-FN when done."
> -  (unless (trusted-content-p)
> +  (unless (trusted-contents-p)
>      ;; FIXME: Use `bwrap' and friends to compile untrusted content.
>      ;; FIXME: We emit a message *and* signal an error, because by default
>      ;; Flymake doesn't display the warning it puts into "*flmake log*".
> diff --git a/lisp/simple.el b/lisp/simple.el
> index 088678ba857..fd027ec1915 100644
> --- a/lisp/simple.el
> +++ b/lisp/simple.el
> @@ -2033,7 +2033,7 @@ read--expression
>          (set-syntax-table emacs-lisp-mode-syntax-table)
>          (add-hook 'completion-at-point-functions
>                    #'elisp-completion-at-point nil t)
> -        (setq-local trusted-content :all)
> +        (setq-local trusted-contents :all)
>          (run-hooks 'eval-expression-minibuffer-setup-hook))
>      (read-from-minibuffer prompt initial-contents
>                            read--expression-map t




reply via email to

[Prev in Thread] Current Thread [Next in Thread]