Re: Re: GNU Emacs 30.1 released with 2 CVE fixes

[Henrik Ahlgren <pablo () seestieto com>]

Max Nikulin <manikulin () gmail com> writes:

> > > - Disable auto-completion features in untrusted .el files
> > > - UPDATE: Also set enable-local-eval to nil
>
> It should work, however it is rather drastic measure that may cause
> inconvenience.

I wanted to point out an interesting aspect of Emacs file local
variables. It may be surprising to some that including `-*-
eval:(foobar-mode) -*-` at the beginning of a file will happily evaluate
the specified function, regardless of whether it is an "actual" minor
mode created with `define-minor-mode'. The only requirement is that the
name ends with "-mode."

This raises some questions about potential security implications. While
I'm not certain how relevant this is or in what scenarios it could be
exploited (if an attacker can define a new function, it's obviously
game-over no matter what), it certainly feels concerning. Some users may
expect the `-mode` convention to apply solely to well-known, built-in
minor modes in Emacs, not for instance the user's own custom Lisp.