[Date Prev][Date Next][Thread Prev][Thread Next][Author Index][Date Index][Thread Index]

Trojan horses for man pages, emacs mail readers.



Found in alt.security:
================================
Article 239 of alt.security:
[]
>From: tadguy@xxxxxxxxxxxxxxxxxxxxx (Tad Guy)
Subject: gnu emacs local-variables (was Would you believe an nroff virus...)

In article <6321@xxxxxxxxxxxxxxxxxxx> ras@xxxxxxxxxxxxxxxxxxx (Ralph A. Shaw):
> In the "nroff" formatter, ...there is a little-known request for
> executing an arbitrary program. 

In the same vein, there's the local-variables feature of GNU Emacs.
According to Info:

|   A file can contain a "local variables list", which specifies the
| values to use for certain Emacs variables when that file is edited.
| ...
|   Two "variable" names are special in a local variables list: a value for
| the variable `mode' really sets the major mode, and a value for the
| variable `eval' is simply evaluated as an expression and the value is
| ignored.

The `eval' variable is especially nasty, since it can make your emacs
do anything when you visit a file containing such a local-variable.

Consider the possibility of a local-variable eval that does some nasty
thing to your system, and then deletes itself from the file you just
visited...

But there's a way to partially protect yourself.  There's a variable in
GNU Emacs that controls the local-variables' behavior:

| inhibit-local-variables's value is t
| 
| Documentation:
| *Non-nil means query before obeying a file's local-variables list.
| This applies when the local-variables list is scanned automatically
| after you find a file.  If you explicitly request such a scan with
| M-x normal-mode, there is no query, regardless of this variable.

It's nil by default.  By default if you visit a file (perhaps this
message, which has a local variable attached for as a demonstration),
the local variables will be executed, perhaps without your knowledge...

A simple (setq inhibit-local-variables t) in your .emacs makes emacs
ask before doing...

	...tad


Local variables:
eval: (message "I just boffed your system!")
End: