[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: emacs virus (was Re: JOIN THE CREW)

To: Adam Back <[email protected]>
Subject: Re: emacs virus (was Re: JOIN THE CREW)
From: "Mark M." <[email protected]>
Date: Sat, 9 Aug 1997 15:27:44 -0400 (EDT)
cc: [email protected]
In-Reply-To: <[email protected]>
Sender: [email protected]


-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 9 Aug 1997, Adam Back wrote:

> I deleted it or something, and haven't been able to find it again, and
> don't know enough elisp to re-create it, but it was pretty neat.  I
> don't think a lot of people realise that emacs has this hook for
> execing arbitrary elisp code just when you open an ordinary file, with
> no filename extension.

>From the Emacs FAQ:

72:  Are there any security risks in GNU Emacs?

[...]
  * the file-local-variable feature (Yes, a risk, but easy to change.)

    There is an Emacs feature that allows the setting of local values for
    variables when editing a file by including specially formatted text
    near the end of the file.  This feature also includes the ability to
    have arbitrary Emacs Lisp code evaluated when the file is visited.
    Obviously, there is a potential for Trojan horses to exploit this
    feature.

    If you set the variable inhibit-local-variables to a non-nil value,
    Emacs will display the special local variable settings of a file that
    you visit and ask you if you really want them.  This variable is not
    mentioned in the manual.

    It is wise to do this in lisp/site-init.el before building Emacs:

      (setq inhibit-local-variables t)

    If Emacs has already been built, the expression can be put in
    lisp/default.el instead, or an individual can put it in their own
    .emacs file.

    The ability to exploit this feature by sending e-mail to an Rmail user
    was fixed sometime after Emacs 18.52.  However, any new package that
    uses find-file or find-file-noselect has to be careful about this.

    For more information, see `File Variables' in the on-line manual
    (which, incidentally, does not describe how to disable the feature).



Mark
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQEVAwUBM+zEgSzIPc7jvyFpAQGdEAf+JBDo4zXNwcbq91NmvT+68tARgd4CfCRS
RVfykuPP7jOFQ2D+jf5D06ZZzb+A98BnnnxQfa8PTi4qC6UmUseB14NVoOs1NLcI
6H5uLcM2gy5+FZdcgycGRhaN+e52CCYbcjnjlgGONPeddp+9Au+OAZH3lD7eSnoE
jvW3f4l3ThkTH1OBi2+NGzT/iRwPPfs+ExdSH6QrxkLuCw7T/yJtjo/bptovQm1P
T1fqu7Dpk/4oUtD1760QuNCC3RCNsrU6z+AqMnPTmYdOh2MJK8G8pMferhD7Jy9h
uVkrfMeqYtiUa1x8Qu9NNu2vKThvP/xhf0S/wzTgaDwsHKGVy6kJoQ==
=2xcf
-----END PGP SIGNATURE-----

References:
- emacs virus (was Re: JOIN THE CREW)
  - From: Adam Back <[email protected]>

Prev by Date: Re: forged cancels (Re: Entrust Technologies's Solo - free download)
Next by Date: INTERNATIONAL COMPANY SEEKS HELP!!
Prev by thread: emacs virus (was Re: JOIN THE CREW)
Next by thread: $300 PER DAY IN 5 WEEKS!!
Index(es):
- Date
- Thread