GNU bug report logs - #41619
[PATCH] Mark python-shell-virtualenv-root as safe local variable

Previous Next

Package: emacs;

Reported by: "Philip K." <philip.kaludercic <at> fau.de>

Date: Sat, 30 May 2020 20:32:02 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #25 received at 41619 <at> debbugs.gnu.org (full text, mbox):

From: "Philip K." <philip <at> warpmail.net>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 41619 <at> debbugs.gnu.org, rgm <at> gnu.org
Subject: Re: bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe
 local variable
Date: Tue, 16 Jun 2020 19:32:52 +0200

Eli Zaretskii <eliz <at> gnu.org> writes:

>> From: "Philip K." <philip <at> warpmail.net>
>> Cc: rgm <at> gnu.org, 41619 <at> debbugs.gnu.org
>> Date: Tue, 16 Jun 2020 18:52:07 +0200
>> 
>> Ultimatly, my estimation was wrong, and the variable shouldn't be marked
>> as safe, at least not with any heuristics that could warn the user if
>> the path is suspicious.
>
> So all we need is to remove the :safe attribute from the variable?  Or
> something else?

That would make it harder for projects to hide malicious values of
python-shell-virtualenv-root, but it's still an attack vector in
principle.

-- 
	Philip K.

This bug report was last modified 5 years and 68 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #41619 [PATCH] Mark python-shell-virtualenv-root as safe local variable

GNU bug report logs - #41619
[PATCH] Mark python-shell-virtualenv-root as safe local variable