GNU bug report logs - #3230
dired-actual-switches is risky

Previous Next

Package: emacs;

Reported by: Leo <sdl.web <at> gmail.com>

Date: Wed, 6 May 2009 14:25:06 UTC

Severity: normal

Fixed in version 24.1

Done: Glenn Morris <rgm <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #15 received at 3230 <at> debbugs.gnu.org (full text, mbox):

From: Leo <sdl.web <at> gmail.com>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 3230 <at> debbugs.gnu.org
Subject: Re: bug#3230: 23.0.93; Make dired-actual-switches safe local variable?
Date: Thu, 24 Feb 2011 12:46:40 +0800

On 2011-02-24 10:08 +0800, Glenn Morris wrote:
> As it stands, it emphatically should NOT be marked safe. Example:
[...]
>
> Oh dear, arbitrary shell command executed with permissions of the user
> running Emacs.

Looks like a bug in the way dired-actual-switches is used. Should we
devise a function to check every switch in dired-actual-switches is
actual a switch?

(defun dired-actual-switches-p (switches)
  (assert (stringp switches))
  (mapc
   (lambda (switch)
     (assert (eq (aref switch 0) ?-)))
   (split-string switches nil t)))

(put 'dired-actual-switches 'safe-local-variable 'dired-actual-switches-p)

Leo

This bug report was last modified 14 years and 82 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #3230 dired-actual-switches is risky

GNU bug report logs - #3230
dired-actual-switches is risky