emacs virus (was Re: JOIN THE CREW)

Mark M. markm at voicenet.com
Sat Aug 9 12:35:01 PDT 1997


On Sat, 9 Aug 1997, Adam Back wrote:

> I deleted it or something, and haven't been able to find it again, and
> don't know enough elisp to re-create it, but it was pretty neat.  I
> don't think a lot of people realise that emacs has this hook for
> execing arbitrary elisp code just when you open an ordinary file, with
> no filename extension.

>From the Emacs FAQ:

72:  Are there any security risks in GNU Emacs?

  * the file-local-variable feature (Yes, a risk, but easy to change.)

    There is an Emacs feature that allows the setting of local values for
    variables when editing a file by including specially formatted text
    near the end of the file.  This feature also includes the ability to
    have arbitrary Emacs Lisp code evaluated when the file is visited.
    Obviously, there is a potential for Trojan horses to exploit this

    If you set the variable inhibit-local-variables to a non-nil value,
    Emacs will display the special local variable settings of a file that
    you visit and ask you if you really want them.  This variable is not
    mentioned in the manual.

    It is wise to do this in lisp/site-init.el before building Emacs:

      (setq inhibit-local-variables t)

    If Emacs has already been built, the expression can be put in
    lisp/default.el instead, or an individual can put it in their own
    .emacs file.

    The ability to exploit this feature by sending e-mail to an Rmail user
    was fixed sometime after Emacs 18.52.  However, any new package that
    uses find-file or find-file-noselect has to be careful about this.

    For more information, see `File Variables' in the on-line manual
    (which, incidentally, does not describe how to disable the feature).

Version: 2.6.3
Charset: noconv


More information about the cypherpunks-legacy mailing list