GNU bug report logs - #74879
30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers

Previous Next

Package: emacs;

Reported by: Daniel Mendler <mail <at> daniel-mendler.de>

Date: Sun, 15 Dec 2024 00:40:02 UTC

Severity: normal

Found in version 30.0.92

Full log

Message #92 received at 74879 <at> debbugs.gnu.org (full text, mbox):

From: Daniel Mendler <mail <at> daniel-mendler.de>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 74879 <at> debbugs.gnu.org
Subject: Re: bug#74879: 30.0.92; trusted-content-p and trusted-files cannot
 be used for non-file buffers
Date: Mon, 16 Dec 2024 19:48:44 +0100

Stefan Monnier <monnier <at> iro.umontreal.ca> writes:

>> The thought was rather that auto completion may be dangerous in general
>
> Maybe I have too narrow a view of completion, but my impression is that
> completion is usually safe.  The situation in ELisp where we perform
> macro expansion to try and get the set of local variables in scope and
> where that macro expansion can end up running local code is rather
> unusual, AFAIK.

Agree.

> What kind of situation are you thinking of where completion is unsafe?

Elisp completion on Emacs 29 and older for example ;)

>> I just took another look at the `trusted-content-p' function on the
>> emacs-30 branch:
>>
>> (defun trusted-content-p ()
>>   (and (not untrusted-content)
>>        buffer-file-truename
>>        ...))
>>
>> There is a check for `buffer-file-truename' which means that the issue
>> with non-file-backed buffers remains (Ielm or scratch). Probably (eq
>> trusted-content :all) should be checked first?
>
> Duh!  I forgot that the same change toned down the warnings, so I
> didn't look at the right place when "testing".  Thanks for the heads up,
> I just fixed it in `emacs-30`.

Thanks for pushing the fix.

>> At the same time one could consolidate the untrusted-content and
>> trusted-content variables as Eshel suggested?
>>
>> (defun trusted-content-p ()
>>   (and (not untrusted-content) ;; only for backward compat (deprecated)
>>        (not (eq trusted-content :untrusted)) ;; replaces untrusted-content
>>        (or (eq trusted-content :all)
>>            (and buffer-file-name
>>                 ...))))
>
> I could go along with that (not for `emacs-30`, tho).
> I'd prefer to get a bit more experience before deciding to do that, tho.

Okay, sure. No urgency about that one.

Just to give some examples where the new trust function could be useful,
assuming that the user really trusts their trusted files:

(setq org-confirm-babel-evaluate (lambda (&rest _)
                                   (not (trusted-content-p)))
      org-link-elisp-confirm-function (lambda (prompt)
                                        (or (trusted-content-p)
                                            (y-or-n-p prompt)))
      org-link-shell-confirm-function org-link-elisp-confirm-function)

Maybe it is possible to configure `enable-local-variables' similarly.

Daniel
This bug report was last modified 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.