normal-mode considered dangerous

normal-mode considered dangerous

[Lars Magne Ingebrigtsen]

While viewing <87y63zmd61.fsf@gilgamesch.quim.ucm.es> (on
news.gmane.org), I get the backtrace below.

`mm-display-inline-fontify' calls `normal-mode' now, and I think that's
a potential recipe for disaster.  It's one thing to institute a mode of
some kind when you're reading a local file, but doing it when receiving
a message means that any exploitable hole in any of the modes in Emacs
can be used remotely.

So I think there should be a white-list before calling `normal-mode'.

Debugger entered--Lisp error: (args-out-of-range "vc-bug" 23 6)
  dir-locals-collect-variables(((emacs-lisp-mode (show-trailing-whitespace . t))) "/home/larsi/pgnus/lisp/" nil)
  hack-dir-local-variables()
  hack-local-variables()
  normal-mode()
  mm-display-inline-fontify((#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil))
  mm-inline-text((#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil))
  mm-display-inline((#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil))
  mm-display-part((#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil) t)
  byte-code("\b\203\0\306\b\211A@	\"\203\0\307\300\310\"\210\202\0\n\211\205\"\311\312\v!!)\203/r\nq\210\f)\2020\f\203:\306\313	\"\204x\314!?\205T\3158?\206T\3158@\316\232\206T\317!\211)\203x\320!\203x\321!\203l\322!\204r\323	!\203x\324*\202\231\r\325\211@;\203\210\r@\202\214\rA@@)\326\"@)\327\232\203\231\324+,GT\310-\211.B,B,*\203\353\r\325\211@;\203\277\r@\202\303\rA@@)\326\"@)\330\232\203\353\331\332n\204\327\333\202\351o\204\344`SSf\332=\203\350\334\202\351\335\"\210*\203\376\336	!\203\376\x0e./=\203\x01\337\x0e.*\206\x01)\205\x01+C#\210\340 \210\3240`-*\203\226\x0e0\203*\341y\210`-1\212\310\342\343\217\2102)345\344=\203[\x0e6\211\205L\311\312\v!!)\203[r6q\2107)\202]\x0e7\2118\204g\324\202\201\x0e9;\203v\30698\"\202\201\x0e9:\205\201\x0e89\235?\205\207\x0e:):\345\324\"\210+db\210\202\265\x0e+\203\265\x0e)\203\265\x0e0\203\253\341y\210`-\340 \210\346!\210db\210\212\214-`}\210\x0e;=\203\335\347\310\335\211\211@;\203\324\r@\202\330\rA@@)$\202.\310<;\310=\211>\203\x02>@\211=;\204\x02=A@@\350\232\204\x02=<B<>A\211>\204\353*\347\310\x0e<>G<G\211@;\203'\r@\202+\rA@@)$),\207" [ignored type gnus-summary-buffer buffer gnus-inhibit-images handle string-match throw nil buffer-live-p get-buffer "\\`image/" mm-inline-override-p 4 "inline" mm-attachment-override-p mm-automatic-display-p mm-inlinable-p mm-inlined-p mm-automatic-external-display-p t split-string "/" "text" "message" insert-char 10 2 0 1 gnus-unbuttonized-mime-type-p gnus-insert-mime-button gnus-article-insert-newline -1 (set-buffer gnus-summary-buffer) ((error)) gnus-article-mode mm-display-part mm-display-inline gnus-treat-article "application/pgp-signature" not-attachment display text gnus-article-mime-handle-alist beg id gnus-mime-buttonized-part-id move gnus-newsgroup-charset ...] 6)
  gnus-mime-display-single((#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil))
  gnus-mime-display-part((#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil))
  mapcar(gnus-mime-display-part ((#<buffer  *mm*<2>> ("text/plain") nil (lambda nil (let ((inhibit-read-only t)) (delete-region #<marker at 6233 in *Article nntp+news.gmane.org:gmane.emacs.xemacs.beta*> #<marker at 6415 in *Article nntp+news.gmane.org:gmane.emacs.xemacs.beta*>))) nil nil nil nil) (#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil) (#<buffer  *mm*<4>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil nil nil nil nil) (#<buffer  *mm*<5>> ("text/plain" (charset . "us-ascii")) 7bit nil ("inline") nil nil nil)))
  gnus-mime-display-mixed(((#<buffer  *mm*<2>> ("text/plain") nil (lambda nil (let ((inhibit-read-only t)) (delete-region #<marker at 6233 in *Article nntp+news.gmane.org:gmane.emacs.xemacs.beta*> #<marker at 6415 in *Article nntp+news.gmane.org:gmane.emacs.xemacs.beta*>))) nil nil nil nil) (#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil) (#<buffer  *mm*<4>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil nil nil nil nil) (#<buffer  *mm*<5>> ("text/plain" (charset . "us-ascii")) 7bit nil ("inline") nil nil nil)))
  gnus-mime-display-part((#("multipart/mixed" 0 15 (boundary "=-=-=" buffer #<buffer  *mm*> from "oub@mat.ucm.es" start nil)) (#<buffer  *mm*<2>> ("text/plain") nil (lambda nil (let ((inhibit-read-only t)) (delete-region #<marker at 6233 in *Article nntp+news.gmane.org:gmane.emacs.xemacs.beta*> #<marker at 6415 in *Article nntp+news.gmane.org:gmane.emacs.xemacs.beta*>))) nil nil nil nil) (#<buffer  *mm*<3>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil ("inline" (filename . "vc-bug")) nil nil nil) (#<buffer  *mm*<4>> ("text/plain" (charset . "iso-8859-1")) quoted-printable nil nil nil nil nil) (#<buffer  *mm*<5>> ("text/plain" (charset . "us-ascii")) 7bit nil ("inline") nil nil nil)))
  gnus-display-mime()
  gnus-article-prepare-display()
  gnus-article-prepare(34597 nil)
  gnus-summary-display-article(34597 nil)
  gnus-summary-select-article(nil force)
  gnus-summary-show-article(nil)
  call-interactively(gnus-summary-show-article nil nil)


-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: normal-mode considered dangerous

[Julien Danjou]

[-- Attachment #1: Type: text/plain, Size: 603 bytes --]

On Mon, Mar 28 2011, Lars Magne Ingebrigtsen wrote:

> `mm-display-inline-fontify' calls `normal-mode' now, and I think that's
> a potential recipe for disaster.  It's one thing to institute a mode of
> some kind when you're reading a local file, but doing it when receiving
> a message means that any exploitable hole in any of the modes in Emacs
> can be used remotely.

Good idea. I've replaced it by `set-auto-mode' with
`enable-local-variables' set to nil. I did not test it, could you
confirm it's ok and I did not break everything?

-- 
Julien Danjou
❱ http://julien.danjou.info

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

Re: normal-mode considered dangerous

[Ted Zlatanov]

On Tue, 29 Mar 2011 11:02:07 +0200 Julien Danjou <julien@danjou.info> wrote: 

JD> On Mon, Mar 28 2011, Lars Magne Ingebrigtsen wrote:
>> `mm-display-inline-fontify' calls `normal-mode' now, and I think that's
>> a potential recipe for disaster.  It's one thing to institute a mode of
>> some kind when you're reading a local file, but doing it when receiving
>> a message means that any exploitable hole in any of the modes in Emacs
>> can be used remotely.

JD> Good idea. I've replaced it by `set-auto-mode' with
JD> `enable-local-variables' set to nil. I did not test it, could you
JD> confirm it's ok and I did not break everything?

Why wouldn't you test before committing+pushing?  Make a branch or send
a patch if you're not sure.

Ted

Re: normal-mode considered dangerous

[Julien Danjou]

[-- Attachment #1: Type: text/plain, Size: 453 bytes --]

On Tue, Mar 29 2011, Ted Zlatanov wrote:

> Why wouldn't you test before committing+pushing?  Make a branch or send
> a patch if you're not sure.

Well, because I'm rather confident the patch is correct, or is at worst
a no-op. Making a branch or sending a patch would have been more much
work for me and/or for Lars to test, than to send in a fix.

I admit it may be a little cavalier. :)

-- 
Julien Danjou
❱ http://julien.danjou.info

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]

Re: normal-mode considered dangerous

[Ted Zlatanov]

On Tue, 29 Mar 2011 17:19:53 +0200 Julien Danjou <julien@danjou.info> wrote: 

JD> On Tue, Mar 29 2011, Ted Zlatanov wrote:
>> Why wouldn't you test before committing+pushing?  Make a branch or send
>> a patch if you're not sure.

JD> Well, because I'm rather confident the patch is correct, or is at worst
JD> a no-op. Making a branch or sending a patch would have been more much
JD> work for me and/or for Lars to test, than to send in a fix.

OK, it sounded worse because I didn't know it was just a no-op in the
worst case.

Ted

Re: normal-mode considered dangerous

[Lars Magne Ingebrigtsen]

Julien Danjou <julien@danjou.info> writes:

> Good idea. I've replaced it by `set-auto-mode' with
> `enable-local-variables' set to nil.

Thanks; Gnus now longer bugs out.  But are you really sure that all the
modes that Emacs has is safe to call on any message type you get?

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: normal-mode considered dangerous

[Julien Danjou]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

On Tue, Mar 29 2011, Lars Magne Ingebrigtsen wrote:

> Thanks; Gnus now longer bugs out.  But are you really sure that all the
> modes that Emacs has is safe to call on any message type you get?

I don't know of any mode that would be dangerous in Emacs itself, nor
any way to exploit any mode to make it dangerous (since local variables
are disabled).

-- 
Julien Danjou
❱ http://julien.danjou.info

[-- Attachment #2: Type: application/pgp-signature, Size: 835 bytes --]