Vladimir G. Ivanovic writes:
on 02/26/2009 04:05 PM Stephen J. Turnbull said the following:
> ...but there are so many ways to get code executed in Emacsen I
> shiver to think there's anybody out there who would refuse to use an
> Emacs without a patch for this bug, but would use an Emacs with a
> patch for it.
The issue, I believe, is the silent (i.e. inadvertent) execution of
code, say "rm -rf $HOME &".
Which can also be done through .vm, .gnus, .bbdb, and auto-autoloads
(to mention four possibilities right off the top of my head), all of
which are commonly installed in user directories. Worse yet, the very
person who reported this bug is personally responsible for
.emacs.desktop!! which is capable of evil in *any* directory, unlike
the dot-files which need to be in $HOME and auto-autoloads which need
to be on `load-path'.
> Before we go spending energy on alleged security bugs, we should
> more carefully about what we want our security posture to be. I note
> that the Python developers eventually gave up on "restricted mode",
Agreed. I don't recall any such discussion, but maybe there has been.
No, there hasn't been any discussion here. There has been some work
done in GNU Emacs on improving security against file-local variables,
but an explicit `load' by a user-invoked mode is just undefendable as
far as I can see, unless we implement something like a restricted
XEmacs-Beta mailing list