GNU bug report logs - #41619
[PATCH] Mark python-shell-virtualenv-root as safe local variable

Previous Next

Package: emacs;

Reported by: "Philip K." <philip.kaludercic <at> fau.de>

Date: Sat, 30 May 2020 20:32:02 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #31 received at 41619 <at> debbugs.gnu.org (full text, mbox):

From: "Philip K." <philip <at> warpmail.net>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 41619 <at> debbugs.gnu.org, rgm <at> gnu.org
Subject: Re: bug#41619: [PATCH] Mark python-shell-virtualenv-root as safe
 local variable
Date: Tue, 16 Jun 2020 21:49:44 +0200

Eli Zaretskii <eliz <at> gnu.org> writes:

>> That would make it harder for projects to hide malicious values of
>> python-shell-virtualenv-root, but it's still an attack vector in
>> principle.
>
> Then I don't think I understand how you suggest to fix this.

I don't know either, any directory with a properly configured
dir-locals.el file and a bin/python executable can be exploited if the
user doesn't pay attention in python-mode. 

As mentioned above, I agree that the best thing would be to unmark the
variable as safe. I'll try to find out more on how to avoid abitrary
code execution in python, and if there's some way, I would try to
implement it so that the variable can be marked as safe again.

-- 
	Philip K.
This bug report was last modified 5 years and 68 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.