Re: CVE-2017-14482 - Red Hat Customer Portal

[Philipp Stephani]

Eli Zaretskii <eliz@gnu.org> schrieb am So., 24. Sep. 2017 um 04:54 Uhr:

> > From: Yuri Khan <yuri.v.khan@gmail.com>
> > Date: Sun, 24 Sep 2017 03:50:51 +0700
> > Cc: "help-gnu-emacs@gnu.org" <help-gnu-emacs@gnu.org>
> >
> > On Sun, Sep 24, 2017 at 12:34 AM, Eli Zaretskii <eliz@gnu.org> wrote:
> >
> > > Why are you visiting a file about which you know nothing at all?
> >
> > Why not? Opening a file in a text editor is not normally considered a
> > hazardous activity.
>
> A file whose source you don't trust or are unfamiliar with should
> initially be examined with find-file-literally, if your security is
> indeed important for you.  That emulates what most other text editors
> do when you open a file.
>
>
That's an unrealistic requirement; nobody will ever do this. Emacs must
make sure to never run untrusted code when visiting a file, unless the user
explicitly asked for (via the enable-local-eval variable).