From xemacs-m  Mon Feb 17 18:01:54 1997
Received: from altair.xemacs.org (steve@xemacs.miranova.com [206.190.83.19])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id SAA24165
	for <xemacs-beta@xemacs.org>; Mon, 17 Feb 1997 18:01:51 -0600 (CST)
Received: (from steve@localhost)
	by altair.xemacs.org (8.8.5/8.8.5) id QAA00272;
	Mon, 17 Feb 1997 16:13:11 -0800
Mail-Copies-To: never
To: xemacs-beta@xemacs.org
Subject: Re: Safe elisp functions?
References: <199702172311.PAA23394@newman> 	<m2zpx356pc.fsf@altair.xemacs.org> <199702172345.PAA23641@newman>
X-Url: http://www.miranova.com/%7Esteve/
X-Face: #!T9!#9s-3o8)*uHlX{Ug[xW7E7Wr!*L46-OxqMu\xz23v|R9q}lH?cRS{rCNe^'[`^sr5"
 f8*@r4ipO6Jl!:Ccq<xoV[Qz2u8<8-+Vwf2gzJ44lf_/y9OaQ`@#Q65{U4/TC)i2`~/M&QI$X>p:9I
 OSS'2{-)-4wBnVeg0S\O4Al@)uC[pD|+
X-Attribution: sb
From: Steven L Baur <steve@miranova.com>
In-Reply-To: "William M. Perry"'s message of Mon, 17 Feb 1997 15:45:02 -0800
Mime-Version: 1.0 (generated by tm-edit 7.105)
Content-Type: multipart/mixed;
 boundary="Multipart_Mon_Feb_17_16:13:10_1997-1"
Content-Transfer-Encoding: 7bit
Date: 17 Feb 1997 16:13:10 -0800
Message-ID: <m2wws755ux.fsf@altair.xemacs.org>
Lines: 94
X-Mailer: Gnus v5.4.13/XEmacs 20.1

--Multipart_Mon_Feb_17_16:13:10_1997-1
Content-Type: text/plain; charset=US-ASCII

William M Perry writes:

> Steven L. Baur writes:
>> Take it out, now.

>   Whatever for?  Its harmless right now.

I'm a network administrator, so I have a higher level of paranoia than
a lot of people.  At the moment your message arrived I was on the
phone with a client whose system was overrun by a hacker this past
weekend (it looks like they got phf'ed :-().

There are *no* safe functions in XEmacs.  Hrvoje just aired a bug
yesterday that overran the stack in a ``harmless'' function and had
been around since 19.12beta.  We have so many abort()s sprinkled
around the code that I don't trust any of it.

We have at least one semi-reproduceable crash in the GIF C code that
is typically exercised by usage of W3.  If you can *guarantee* me that
the GIF code can *never* overrun the stack, I'll consider changing my
position.  But I want a full security audit done of all functions put
in the `safe' category.

> Only danger is bad choice of 'safe' functions (which must be
> explicitly listed), which are pretty restrictive right now.  Pretty
> much all you can do is say 'Hello there' in the minibuffer right
> now.

> Mainly a proof-of-concept until I finish writing my javascript
> interpreter in emacs-lisp.

Can we please consider an architecture where the code that performs
this can be cleanly excised from the lisp directory so it cannot be
invoked by accident?

I feel very strongly about this and do not wish to create another
ActiveX.

--Multipart_Mon_Feb_17_16:13:10_1997-1
Content-Type: text/plain; charset=US-ASCII

Path: zinger.callamer.com!svr1.gstis.net!news.aloha.net!news.sprintlink.net!news-stk-3.sprintlink.net!www.nntp.primenet.com!nntp.primenet.com!news.mathworks.com!news.maxwell.syr.edu!nntp.uio.no!ifi.uio.no!usenet
From: Erik Naggum <erik@naggum.no>
Newsgroups: comp.emacs
Subject: guarding against viruses
Date: 13 Feb 1997 12:35:59 +0000
Organization: Naggum Software; +47 2295 0313; http://www.naggum.no
Lines: 30
Message-ID: <3064826159383196@naggum.no>
References: <iy0k9of9gvu.fsf@migraine>
NNTP-Posting-Host: naggum.no
mail-copies-to: never
X-Newsreader: Gnus v5.3/19.35.-990
Xref: zinger.callamer.com comp.emacs:13199

* Ram Gopalaswamy
[ another mail virus hoax ]

however unlikely this is to be true, I think it would be instructive to see
if any of the mail readers for Emacs could execute random code in messages
received from the Net.  it would be a good idea to ensure that no code
_could_ run just by being included in a file.

we already know that visiting a remote file with Emacs opens up for setting
variables and perhaps evaluating expressions, and it would be bad if this
was also possible with mail.  with all the randomness that MIME has given
us, including "attachments" and other hazards, I think it would be prudent
to spend some brainpower on this issue.

once we have done this, we would be able to say

    if you read mail with Emacs, you are not exposed to the hazards that
    you might be exposed to if you read mail with non-free software, such
    as viruses, random remailings, tapped mailboxes, or other intrusive
    behavior that mail users regularly warn each other about in widely
    distributed virus alerts.  as an Emacs user, you do not need to take
    any action upon seeing such alerts.  software viruse are possible only
    because commercial software vendors do a sloppy job with security and
    don't let better programmers fix the problems they create.

(I'll ignore sendmail for the sake of the marketing argument.  :)

#\Erik
-- 
my other car is a cdr

-- 
steve@miranova.com baur
Unsolicited commercial e-mail will be billed at $250/message.

--Multipart_Mon_Feb_17_16:13:10_1997-1--

