Max Nikulin <maniku...@gmail.com> writes: >>> - Disable auto-completion features in untrusted .el files >>> - UPDATE: Also set enable-local-eval to nil > > It should work, however it is rather drastic measure that may cause > inconvenience.
I wanted to point out an interesting aspect of Emacs file local variables. It may be surprising to some that including `-*- eval:(foobar-mode) -*-` at the beginning of a file will happily evaluate the specified function, regardless of whether it is an "actual" minor mode created with `define-minor-mode'. The only requirement is that the name ends with "-mode." This raises some questions about potential security implications. While I'm not certain how relevant this is or in what scenarios it could be exploited (if an attacker can define a new function, it's obviously game-over no matter what), it certainly feels concerning. Some users may expect the `-mode` convention to apply solely to well-known, built-in minor modes in Emacs, not for instance the user's own custom Lisp.
