GNU bug report logs -
#53876
27.2; "eval: (X-mode)" is always safe as file local variable
Previous Next
Reported by: Ignacio Casso <ignaciocasso <at> hotmail.com>
Date: Tue, 8 Feb 2022 13:34:02 UTC
Severity: normal
Tags: notabug, security
Found in version 27.2
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 53876 in the body.
You can then email your comments to 53876 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#53876; Package
emacs.
(Tue, 08 Feb 2022 13:34:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ignacio Casso <ignaciocasso <at> hotmail.com>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Tue, 08 Feb 2022 13:34:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
I've noticed something that I believe it might be a bug. With Emacs 27.2
and the default configuration (starting with emacs -Q), I get the
following behavior:
If I visit a file ending with the three lines below, I get the usual
prompt asking whether I want to apply the local variables since they
might not be safe. So far so good.
# Local Variables:
# eval: (message "file was visited")
# End:
If I visit a file with the following local variables instead, I don't
get that prompt and the form is evaluated immediately, so I get line
numbers in the buffer. This happens for any other mode.
# Local Variables:
# eval: (display-line-numbers-mode)
# End:
I'm not sure if that is still good, but the real problem comes now, when I
define a function with a name ending in "-mode", like the following:
(defun not-really-a-mode ()
(message "This could be doing something nasty"))
If I visit a file with the following local variables, I don't get the
prompt either and the form is evaluated immediately.
# Local Variables:
# eval: (not-really-a-mode)
# End:
(Of course, activating an actual mode could be doing something equally
nasty, but somehow I find this worse)
I've investigated a little and found the function
hack-one-local-variable-eval-safep in files.el, which is responsible for
this. It has a comment that says "Allow (minor)-modes calls with no
arguments.", and just checks whether the function ends in "-mode".
I'm not sure if it's a bug or a feature, and it's not important at all
to me, since it's actually convenient. I'm just reporting it since I
noticed it and I'm trying to get in the habit of reporting (possible)
bugs when I find them.
Best regards,
Ignacio
In GNU Emacs 27.2 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.20)
of 2022-01-16 built on ignacio-IdeaPad-3-15ADA05
Windowing system distributor 'The X.Org Foundation', version 11.0.12013000
System Description: Ubuntu 20.04.3 LTS
Added tag(s) security.
Request was from
Glenn Morris <rgm <at> fencepost.gnu.org>
to
control <at> debbugs.gnu.org.
(Tue, 08 Feb 2022 15:57:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#53876; Package
emacs.
(Tue, 08 Feb 2022 16:43:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 53876 <at> debbugs.gnu.org (full text, mbox):
Thanks for the report.
Same issue with "-*- mode: not-really-a; -*-".
It's all intentional behaviour, but how sensible it is is a valid question.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#53876; Package
emacs.
(Wed, 09 Feb 2022 01:09:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 53876 <at> debbugs.gnu.org (full text, mbox):
I suppose the assumption is that code already available in the user's
environment is not intrinsically malicious (ie does not contain
deliberately harmful mode definitions). Rather the file-local variables
safety mechanisms are intended to protect against malicious code
actually embedded in the file being visited; something like eval:
(shell-command ...).
It underlines again the need to be careful about what elisp libraries
one installs (although the simple act of installing a package can
already directly execute arbitrary code anyway).
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#53876; Package
emacs.
(Wed, 09 Feb 2022 08:24:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 53876 <at> debbugs.gnu.org (full text, mbox):
Glenn Morris <rgm <at> gnu.org> writes:
> Thanks for the report.
>
> Same issue with "-*- mode: not-really-a; -*-".
>
> It's all intentional behaviour, but how sensible it is is a valid question.
I don't think this is something that we can change at this point,
though. If you've installed a package that defines a mode, then the
assumption is that it's safe.
So I don't think there's anything to fix here, and I'm therefore closing
this bug report.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) notabug.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Wed, 09 Feb 2022 08:24:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
53876 <at> debbugs.gnu.org and Ignacio Casso <ignaciocasso <at> hotmail.com>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Wed, 09 Feb 2022 08:24:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 09 Mar 2022 12:24:10 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 101 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.