[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: eval and security
From: |
tomas |
Subject: |
Re: eval and security |
Date: |
Mon, 24 Oct 2016 14:31:52 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, Oct 24, 2016 at 02:20:44PM +0200, Andreas Röhler wrote:
> Hi,
>
> remember a saying like "avoid calls like (eval 'my-symbol) in
> lisp-code" as related to security issues.
>
> Is there some reading to learn more? Maybe I'm mistaking something?
Perhaps because a randomly downloaded package can redefine 'my-symbol
to be something evil?
In any case, if you indirect your code through user-overridable
stuff (e.g. hooks), the least you can do is to use a defvar
marking the thing as "risky": then Emacs will do its best to
avoid changing it when the user doesn't expect it.
There's a chapter "Security Considerations" in the Emacs Lisp
manual[1].
regards
[1]
https://www.gnu.org/software/emacs/manual/html_node/elisp/Security-Considerations.html
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlgN/zcACgkQBcgs9XrR2kalLwCfYv6yRyRAECNQ9zCepzgdZJqb
9gMAn2nR87fNoh5nzMqF+bGVi6FncgXc
=QPBI
-----END PGP SIGNATURE-----