emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security flaw in enable-local-eval; new release plan

From: Thien-Thi Nguyen
Subject: Re: Security flaw in enable-local-eval; new release plan
Date: Mon, 13 Aug 2012 08:32:57 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux) 
() Chong Yidong <address@hidden>
() Mon, 13 Aug 2012 11:10:57 +0800

   (let ((safe (or (hack-one-local-variable-eval-safep
                    (eval (quote val)))
                   ;; In case previously marked safe (bug#5636).
                   (safe-local-variable-p var val))))
     ;; If not safe and e-l-v = :safe, ignore totally.
     (when (or safe (not (eq enable-local-variables :safe)))
       (push elt all-vars)
       (or (eq enable-local-eval t)
           safe
           (push elt unsafe-vars))))

It seems control reaches ‘eval’ before reaching the ‘:safe’ check, thus
defeating the check.  Am i missing something?

-- 
Thien-Thi Nguyen ..................................... GPG key: 4C807502
.                  NB: ttn at glug dot org is not me                   .
.                 (and has not been since 2007 or so)                  .
.                        ACCEPT NO SUBSTITUTES                         .
........... please send technical questions to mailing lists ...........

Attachment: pgpTRhbGbsgyv.pgp
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]