search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(merge: e517eda a62d5ee)
Fix EDE security flaw involving loading arbitrary Lisp from Project.ede.
commit6e9ddbb313cf7db66550f93a74cbba12e39e93c0
authorEric M. Ludlam <zappo@gnu.org>
Fri, 13 Jan 2012 13:19:25 +0000 (13 21:19 +0800)
committerChong Yidong <cyd@gnu.org>
Fri, 13 Jan 2012 13:19:25 +0000 (13 21:19 +0800)
tree75980dee1d1a454da12d6fdd4b377a0e915dad61tree | snapshot (tar.gz zip)
parente517eda4d0d6da5d4b8f12be1608fb5e17c455ffcommit | diff
parenta62d5ee188dcb532088a15b0a2f066d3305b2edacommit | diff
Fix EDE security flaw involving loading arbitrary Lisp from Project.ede.

* lisp/ede.el (ede-project-directories): New option.
(ede-directory-safe-p): Check it.
(ede-initialize-state-current-buffer, ede, ede-new)
(ede-check-project-directory, ede-rescan-toplevel)
(ede-load-project-file, ede-parent-project, ede-current-project):
(ede-target-parent): Avoid loading in a project unless it is safe,
since it may involve malicious code.  This security flaw was
pointed out by Hiroshi Oota.

* lisp/ede/auto.el (ede-project-autoload): Add safe-p slot.
(ede-project-class-files): Projects using Project.ede are unsafe.
(ede-auto-load-project): New method.

* lisp/ede/simple.el (ede-project-class-files): Mark as unsafe.
lisp/cedet/ChangeLog diff1 |  diff2 |  blob | history
lisp/cedet/ede.el diff1 |  diff2 |  blob | history
lisp/cedet/ede/auto.el diff1 |  diff2 |  blob | history
lisp/cedet/ede/simple.el diff1 |  diff2 |  blob | history
Emacs repository mirror