GNU bug report logs - #53876
27.2; "eval: (X-mode)" is always safe as file local variable

Previous Next

Package: emacs;

Reported by: Ignacio Casso <ignaciocasso <at> hotmail.com>

Date: Tue, 8 Feb 2022 13:34:02 UTC

Severity: normal

Tags: notabug, security

Found in version 27.2

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #13 received at 53876 <at> debbugs.gnu.org (full text, mbox):

From: Glenn Morris <rgm <at> gnu.org>
To: Ignacio Casso <ignaciocasso <at> hotmail.com>
Cc: 53876 <at> debbugs.gnu.org
Subject: Re: bug#53876: 27.2;
 "eval: (X-mode)" is always safe as file local variable
Date: Tue, 08 Feb 2022 20:08:14 -0500

I suppose the assumption is that code already available in the user's
environment is not intrinsically malicious (ie does not contain
deliberately harmful mode definitions). Rather the file-local variables
safety mechanisms are intended to protect against malicious code
actually embedded in the file being visited; something like eval:
(shell-command ...).

It underlines again the need to be careful about what elisp libraries
one installs (although the simple act of installing a package can
already directly execute arbitrary code anyway).

This bug report was last modified 3 years and 101 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #53876 27.2; "eval: (X-mode)" is always safe as file local variable

GNU bug report logs - #53876
27.2; "eval: (X-mode)" is always safe as file local variable