GNU bug report logs -
#4218
Security assertion needs modification or more detail
Previous Next
Reported by: Reuben Thomas <rrt <at> sc3d.org>
Date: Thu, 20 Aug 2009 23:50:04 UTC
Severity: normal
Done: Chong Yidong <cyd <at> stupidchicken.com>
Bug is archived. No further changes may be made.
Full log
Message #8 received at 4218 <at> debbugs.gnu.org (full text, mbox):
> The docstring for compile-command says: "This variable is safe as a
> file local variable if its value satisfies the predicate `stringp'."
> I'd say this is arguable, as it can be set to an arbitrary command
> e.g. "send-me-all-your-passwords; make -k".
Thanks for the bug report.
I think the main risk occurs when the user has customized
compilation-read-command to nil, because then M-x compile does not issue
a prompt. So, I've changed the predicate to consider compile-command
unsafe if compilation-read-command is nil.
We could be more aggressive and always consider compilation-command
unsafe, but I'm not sure that's warranted. After all, there is the risk
that your makefile is malicious, anyway.
This bug report was last modified 15 years and 57 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.