GNU bug report logs - #3230
dired-actual-switches is risky

Previous Next

Package: emacs;

Reported by: Leo <sdl.web <at> gmail.com>

Date: Wed, 6 May 2009 14:25:06 UTC

Severity: normal

Fixed in version 24.1

Done: Glenn Morris <rgm <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #12 received at control <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Leo <sdl.web <at> gmail.com>
Cc: 3230 <at> debbugs.gnu.org
Subject: Re: 23.0.93; Make dired-actual-switches safe local variable?
Date: Wed, 23 Feb 2011 21:08:26 -0500

retitle 3230 dired-actual-switches is risky
stop

Leo wrote:

> The dired-x manual gives an example in using local variables for dired
> buffers. However, the variable dired-actual-switches has not been marked
> as safe local variable. I think this is an oversight.

As it stands, it emphatically should NOT be marked safe. Example:

cat <<EOF >| .dired
Local Variables:
dired-actual-switches: "-l ; touch /tmp/OHDEAR"
End:
EOF

rm -f /tmp/OHDEAR

emacs -Q -l dired-x
M-x dired /path/to/dir/*.el     ; wildcard is important
answer "y" to question about possibly unsafe local variable

ls /tmp/OHDEAR

Oh dear, arbitrary shell command executed with permissions of the user
running Emacs.
This bug report was last modified 14 years and 81 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.