From xemacs-m  Tue Feb 18 08:46:12 1997
Received: from newman (root@newman.aventail.com [38.225.141.10])
	by xemacs.org (8.8.5/8.8.5) with SMTP id IAA27471
	for <xemacs-beta@xemacs.org>; Tue, 18 Feb 1997 08:46:10 -0600 (CST)
Received: from kramer.in.aventail.com.aventail.com (wmperry@kramer [192.168.1.12]) by newman (8.6.12/8.6.9) with SMTP id GAA25360; Tue, 18 Feb 1997 06:44:11 -0800
Date: Tue, 18 Feb 1997 06:44:11 -0800
Message-Id: <199702181444.GAA25360@newman>
From: "William M. Perry" <wmperry@aventail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Steven L Baur <steve@miranova.com>
Cc: xemacs-beta@xemacs.org
Subject: Re: Safe elisp functions?
In-Reply-To: <m2wws755ux.fsf@altair.xemacs.org>
References: <199702172311.PAA23394@newman>
	<m2zpx356pc.fsf@altair.xemacs.org>
	<199702172345.PAA23641@newman>
	<m2wws755ux.fsf@altair.xemacs.org>
Errors-to: wmperry@aventail.com
Reply-to: wmperry@aventail.com
X-Face: O~Rn;(l][/-o1sALg4A@xpE:9-"'IR[%;,,!m7</SYF`{vYQ(&RI1&EiH[FvT;J}@f!4kfz
 x_!Y#=y{Uuj9GvUi=cPuajQ(Z42R[wE@{G,sn$qGr5g/wnb*"*ktI+,CD}1Z'wxrM2ag-r0p5I6\nA
 [WJopW_J.WY;

Steven L. Baur writes:
>William M Perry writes:
>
>> Steven L. Baur writes:
>>> Take it out, now.
>
>>   Whatever for?  Its harmless right now.
>
[...]
>
>There are *no* safe functions in XEmacs.  Hrvoje just aired a bug
>yesterday that overran the stack in a ``harmless'' function and had been
>around since 19.12beta.  We have so many abort()s sprinkled around the
>code that I don't trust any of it.

  If any of those abort()s gets thrown, it is a genuine bug in XEmacs.
That's why they are there.  They should be found and reported, no matter
_what_ is getting executed at the time.  Whether that is downloaded
Emacs-Lisp or a font-locking operation.

>We have at least one semi-reproduceable crash in the GIF C code that is
>typically exercised by usage of W3.  If you can *guarantee* me that the
>GIF code can *never* overrun the stack, I'll consider changing my
>position.  But I want a full security audit done of all functions put in
>the `safe' category.

  The GIF code has nothing to do with running of downloaded code.

>> Only danger is bad choice of 'safe' functions (which must be explicitly
>> listed), which are pretty restrictive right now.  Pretty much all you
>> can do is say 'Hello there' in the minibuffer right now.
>
>> Mainly a proof-of-concept until I finish writing my javascript
>> interpreter in emacs-lisp.
>
>Can we please consider an architecture where the code that performs this
>can be cleanly excised from the lisp directory so it cannot be invoked by
>accident?

  Possibly.  Currently you could just replace w3-script.el with one that
is just a noop for w3-script-find-event-handlers and/or
w3-script-evaluate-form.

>I feel very strongly about this and do not wish to create another ActiveX.

  ActiveLisp!  No, really, all we have to do is be like microsoft and allow
you to find out who just #$!%@ed up your day.  That's enough, right? :)

-Bill P.

