GNU bug report logs - #17467
24.3; locate-library returning spurious path

Previous Next

Package: emacs;

Reported by: Alex Kosorukoff <alex <at> 3form.com>

Date: Sun, 11 May 2014 16:51:02 UTC

Severity: minor

Tags: patch

Found in version 24.3

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Alex Kosorukoff <alex <at> 3form.com>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 17467 <17467 <at> debbugs.gnu.org>, Stefan Monnier <monnier <at> iro.umontreal.ca>
Subject: bug#17467: 24.3; locate-library returning spurious path
Date: Sun, 11 May 2014 15:31:56 -0700

[Message part 1 (text/plain, inline)]
I think you are overlooking something. If I notice a random tramp.el in
some unusual place, I will investigate it right away because I know .el
files can be executed by emacs. I wouldn't do it for a random data file
without extension or a compressed .gz archive unless they have executable
permission for some unknown reason. Data files are created by many
applications and it is concerning me as long as no program I frequently use
will execute them randomly. You can say that data files should never be in
the load-path of emacs and I will agree with you. However, I can see
scenarios when this can happen unintentionally. It would be careless not to
try to add a simple safeguard to prevent this kind of execution.

I did fix the proximal cause already, worked around this function and
patched my emacs, so this bug doesn't affect me in any way now. Now I am
trying hard to fix the root cause. This is why I reported this bug, shared
my patches and addressed all valid concerns that were expressed here, even
those that aren't that important for me personally. The most difficult part
seems to be in persuading developers that this is an issue to be fixed. If
I fail at this, I simply will be less confident in using emacs.



On Sun, May 11, 2014 at 2:19 PM, Glenn Morris <rgm <at> gnu.org> wrote:

> Alex Kosorukoff wrote:
>
> > It can cause user inconvenience or pose a security/privacy issue
> > because a random file named "tramp" or "tramp.gz" placed in some
> > directory of the load-path can be loaded instead of the standard
> > library without user knowledge.
>
> This argument does not fly, because if someone can write a "tramp" file
> to a directory in your load-path, they can just as easily write
> "tramp.el". Random files should not be being written to your load-path,
> and you should not be adding inappropriate directories to that path.
> Your immediate problem was having ~/.emacs.d in load-path.
>

[Message part 2 (text/html, inline)]
This bug report was last modified 4 years and 226 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.