cfee2c6b0f
GNU Emacs "enable-local-variables" Variable Processing Vulnerability
patch from upstream git; earlier releases are not affected
38 lines
1.5 KiB
Plaintext
38 lines
1.5 KiB
Plaintext
$OpenBSD: patch-lisp_files_el,v 1.1 2012/08/17 09:09:01 jasper Exp $
|
|
|
|
Security fix for CVE-2012-3479, GNU Emacs "enable-local-variables" Variable Processing Vulnerability
|
|
|
|
From 90c310d22c6f06332257c816253c642fd2bf90aa Mon Sep 17 00:00:00 2001
|
|
From: Glenn Morris <rgm@gnu.org>
|
|
Date: Tue, 07 Aug 2012 18:41:39 +0000
|
|
Subject: hack-local-variables-filter fix for bug#12155
|
|
|
|
* lisp/files.el (hack-local-variables-filter): If an eval: form is not
|
|
known to be safe, and enable-local-variables is :safe, then ignore
|
|
the form totally, as is done for non-eval forms.
|
|
|
|
--- lisp/files.el.orig Wed Jan 11 13:35:01 2012
|
|
+++ lisp/files.el Fri Aug 17 10:54:45 2012
|
|
@@ -2986,11 +2986,16 @@ DIR-NAME is a directory name if these settings come fr
|
|
;; Obey `enable-local-eval'.
|
|
((eq var 'eval)
|
|
(when enable-local-eval
|
|
- (push elt all-vars)
|
|
- (or (eq enable-local-eval t)
|
|
- (hack-one-local-variable-eval-safep (eval (quote val)))
|
|
- (safe-local-variable-p var val)
|
|
- (push elt unsafe-vars))))
|
|
+ (let ((safe (or (hack-one-local-variable-eval-safep
|
|
+ (eval (quote val)))
|
|
+ ;; In case previously marked safe (bug#5636).
|
|
+ (safe-local-variable-p var val))))
|
|
+ ;; If not safe and e-l-v = :safe, ignore totally.
|
|
+ (when (or safe (not (eq enable-local-variables :safe)))
|
|
+ (push elt all-vars)
|
|
+ (or (eq enable-local-eval t)
|
|
+ safe
|
|
+ (push elt unsafe-vars))))))
|
|
;; Ignore duplicates (except `mode') in the present list.
|
|
((and (assq var all-vars) (not (eq var 'mode))) nil)
|
|
;; Accept known-safe variables.
|