User: Password:
Subscribe / Log in / New account security concerns security concerns

Posted Aug 17, 2006 9:52 UTC (Thu) by nix (subscriber, #2304)
In reply to: security concerns by bockman
Parent article: security concerns

Emacs disagrees with you. Evaluation of untrusted Lisp in local-variable sections of files has been allowed by Emacs for decades: it just *shows you what the code is that it's going to run* when it asks you to run it. It's generally pretty obvious then if that's malicious.

(Of course, word-processor documents can contain whole libraries, too much code to show the user: perhaps *that* is the problem.)

(Log in to post comments) security concerns

Posted Aug 17, 2006 10:09 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

emacs will not automatically evaluate any from any document.

I admit I don't know emacs, but I know of a similar feature in vim: it is limited to a rather harmless set of commands that could not allow you to run arbitrary code. security concerns

Posted Aug 18, 2006 11:46 UTC (Fri) by nix (subscriber, #2304) [Link]

So you don't know Emacs but you're willing to pontificate on what it can and cannot do?

Have a look at this; search for enable-local-eval.

This is a feature of ancient vintage in both Emacs and XEmacs. security concerns

Posted Jun 14, 2007 3:31 UTC (Thu) by jordanb (guest, #45668) [Link]

Emacs macros were a poor decision made at a time when security was more of a geek's curiosity than a million dollar matter like it is today. And the fix for them is inadequate I think. Quite honestly, I think they should not be included at all. If you want something evaluated you should do it yourself, either with a (load-file) somewhere or by executing it interactively (C-x C-e, etc).

Microsoft Office's macro decision was still made before the Internet so they have some excuse, but their "fix" was even worse than that of emacs. They didn't reduce the ability of the macros to do damage at all, they just put up that stupid warning, and because that warning gets triggered even when the macros are clearly harmless (they don't access anything outside the local file), MS Office users grow immune to them and just instinctively click through.

Given the experience that Microsoft has had,'s inclusion of macros with the exact same deficiencies is downright negligent.

I agree with the OP, macros should be restricted to a clearly-defined sandbox if they're used at all. The Emacs "solution" is especially bad in the case of a office suite because showing a macro to a secretary and asking her to decide if it's dangerous or not is like asking her if there's a dirty word in a randomly selected passage written in ancient greek. security concerns

Posted Aug 17, 2006 22:22 UTC (Thu) by bronson (subscriber, #4806) [Link]

it just *shows you what the code is that it's going to run* when it asks you to run it.

Just think if OpenOffice did that. That's comedy. (think of the average oo user compared to the average emacs user...) security concerns

Posted Aug 18, 2006 11:43 UTC (Fri) by nix (subscriber, #2304) [Link]

Yes, there is the user-comprehension barrier as well!

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds