GNU bug report logs - #77341
[PATCH] ; (find-function-search-for-symbol): Be cautious with macros.

Previous Next

Package: emacs;

Reported by: Eshel Yaron <me <at> eshelyaron.com>

Date: Fri, 28 Mar 2025 17:29:02 UTC

Severity: normal

Tags: patch

Fixed in version 31.1

Done: Eshel Yaron <me <at> eshelyaron.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eshel Yaron <me <at> eshelyaron.com>
To: Daniel Colascione <dancol <at> dancol.org>
Cc: 77341 <at> debbugs.gnu.org
Subject: bug#77341: [PATCH] ; (find-function-search-for-symbol): Be cautious with macros.
Date: Sat, 29 Mar 2025 07:54:26 +0100

Daniel Colascione <dancol <at> dancol.org> writes:

> On March 28, 2025 1:28:06 PM EDT, Eshel Yaron wrote:
>>Tags: patch
>>
>>find-function may expand Lisp macros in a source file when it fails to
>>find a definition otherwise.  This patch restricts this fallback to
>>trusted buffers only, to protect against possibly harmful macros.
>
> I get not wanting to execute code from random files I'm just visiting,
> but if I've already actually evaluated a macro function and installed
> it in my Emacs function namespace as something I can call, is it all
> that dangerous to call it? 

find-function searches through code you haven't evaluated/loaded too.
Even for loaded libraries, the source file/buffer contents may be
different than the loaded code.  Either way, if you trust some files,
you can add them to trusted-content.  If you haven't, that means they
are untrusted.

In general, as long as macro-expansion remains unsafe, we should avoid
expanding untrusted macros in commands that merely edit/browse Lisp code
(in contrast with compiling/evaluating it).

> Instead of a blanket prohibition on macro expansion,

(To be clear, I wouldn't say there's a prohibition on macro expansion,
just a restriction to trusted code, similarly to proper code evaluation,
since they're not that different in practice.)

> I'd rather have macros declare that they're safe to run on untrusted
> inputs, which means mostly they don't eval their arguments.

Yes, please :)
Even better, we should have a safe evaluation sandbox that can be used
for safe macro-expansion among other things.  Indeed, any solution that
allows us to safely expand (most) macros would be a great improvement.
But until we have something like that, we should guard macro-expansion
behind trusted-content-p checks.


Regards,

Eshel
This bug report was last modified 41 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.