- Disable auto-completion features in untrusted .el files
- UPDATE: Also set enable-local-eval to nil
Max Nikulin writes:
It should work, however it is rather drastic measure that may cause
inconvenience.
It is more tricky. At least in Emacs-28, enable-local-eval helps to
mitigate the variant from the blog post
;; -*- eval: (flymake-mode 1) -*-
however the user option has no effect for the case reported in the Emacs
bug#37656 ("deprecated" feature)
;; -*- mode: emacs-lisp; mode: flymake -*-
Neither
emacs -Q --eval '(setq enable-local-eval nil)' poc.txt
nor
emacs -Q --eval '(setq enable-local-variables :safe)' poc.txt
prevents execution of code from the file.
Unfortunately
emacs -Q --eval '(setq enable-local-variables nil)' poc.txt
or a similar form in init.el disables file-specific major modes as well.
So "mode: outline" is ignored in files like "NEWS". enable-local-eval
affects "eval: (...)", but not "mode: ...". These settings are described in
<https://www.gnu.org/software/emacs/manual/html_node/emacs/Safe-File-Variables.html>
and in doc strings
<https://git.savannah.gnu.org/cgit/emacs.git/tree/lisp/files.el?h=emacs-30.1#n669>
So setting enable-local-variables to nil is a better recommendation, but
the price is inconvenience. An attack can not be prevented by setting
enable-local-eval.
On 01/03/2025 19:39, Henrik Ahlgren wrote:
I wanted to point out an interesting aspect of Emacs file local
variables. It may be surprising to some that including `-*-
eval:(foobar-mode) -*-` at the beginning of a file will happily evaluate
the specified function, regardless of whether it is an "actual" minor
mode created with `define-minor-mode'. The only requirement is that the
name ends with "-mode."
This raises some questions about potential security implications.
Language encourage this kind of tricks. Function names at least have to
have -mode suffix. In the case of CVE-2025-1244, "man:" URL scheme
causing attempt to load url-man.el (does not exist) then call to the
url-man function from url-misc.el, see url-scheme-get-property in
lisp/url/url-methods.el. The url package is a mix of functions
implementing some URL schemes (url-info, url-http, etc.), API functions,
and helpers having url-* names. There are no settings in url similar to
browse-url-handlers and eww-use-browse-url that define explicit mapping
(e.g. to browse-url-man) and limit schemes available through browse-url.el.
