On Tue, Dec 05 2017, David Bremner wrote:
TL;DR; LGTM. :D
> This adds a comment to Tomi's previous version, and a test. I've
> tested the test by commenting out Tomi's fix and running it under
> emacs24 ("exploit" runs) and debian emacs 25.2 (which includes the
> relevant fix. In the latter case, the test passes with the notmuch
> code commented out, because emacs mime-rendering has been fixed. I
> consider this reasonable, since it test success means this particular
> exploit is blocked.
Thank you David for doing the work I had in my queue -- and the test!
So, for me was left testing the test:
First I tested on Fedora 27 -- it has emacs 25.3 so the workaround we
provide is not active -- all tests when doing
(cd test && ./T450-emacs-show.sh) PASS.
Next I recompiled the whole stuff on container with Ubuntu 14.04 userspace;
(emacs 23.4.1) With this I had problems breaking the fix so I could get the
test in question FAIL -- I just could not, and finally tested that the
function (read-only-mode) (used in exploit) is not defined in emacs 23.
Since emacs 23 is deprecated IMO it is fine that this test does not test
the behaviour there -- I believe the protection we get testing emacs 24
is good enough here (I've examined the elisp code in question and it is
the same since emacs 23.1 to emacs 24.3 (at least)).
Finally I launched Centos 7.0.1406 based container, now with emacs 24.3.1.
After recompilation and testing that tests PASS normally, I could easily
break the fix and get the test FAIL!
So, series LGTM.
Tomi
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
