HCoop / bpt / emacs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: e517eda a62d5ee)
Fix EDE security flaw involving loading arbitrary Lisp from Project.ede.
authorEric M. Ludlam <zappo@gnu.org>
Fri, 13 Jan 2012 13:19:25 +0000 (21:19 +0800)
committerChong Yidong <cyd@gnu.org>
Fri, 13 Jan 2012 13:19:25 +0000 (21:19 +0800)
* lisp/ede.el (ede-project-directories): New option.
(ede-directory-safe-p): Check it.
(ede-initialize-state-current-buffer, ede, ede-new)
(ede-check-project-directory, ede-rescan-toplevel)
(ede-load-project-file, ede-parent-project, ede-current-project):
(ede-target-parent): Avoid loading in a project unless it is safe,
since it may involve malicious code.  This security flaw was
pointed out by Hiroshi Oota.

* lisp/ede/auto.el (ede-project-autoload): Add safe-p slot.
(ede-project-class-files): Projects using Project.ede are unsafe.
(ede-auto-load-project): New method.

* lisp/ede/simple.el (ede-project-class-files): Mark as unsafe.

1  2 
lisp/cedet/ChangeLog patch | diff1 | diff2 | blob | history
lisp/cedet/ede.el patch | diff1 | diff2 | blob | history
lisp/cedet/ede/auto.el patch | diff1 | diff2 | blob | history
lisp/cedet/ede/simple.el patch | diff1 | diff2 | blob | history

diff --cc lisp/cedet/ChangeLog
index 7d6f9f5,dc43253..f9a546e
--- 1/lisp/cedet/ChangeLog
--- 2/lisp/cedet/ChangeLog
+++ b/lisp/cedet/ChangeLog
@@@ -1,155 -1,21 +1,172 @@@
 -2011-04-13  Juanma Barranquero  <lekktu@gmail.com>
+ 2012-01-09  Eric Ludlam  <zappo@gnu.org>
+       * ede.el (ede-project-directories): New option.
+       (ede-directory-safe-p): Check it.
+       (ede-initialize-state-current-buffer, ede, ede-new)
+       (ede-check-project-directory, ede-rescan-toplevel)
+       (ede-load-project-file, ede-parent-project, ede-current-project):
+       (ede-target-parent): Avoid loading in a project unless it is safe,
+       since it may involve malicious code.  This security flaw was
+       pointed out by Hiroshi Oota.
+       * ede/auto.el (ede-project-autoload): Add safe-p slot.
+       (ede-project-class-files): Projects using Project.ede are unsafe.
+       (ede-auto-load-project): New method.
+       * ede/simple.el (ede-project-class-files): Mark as unsafe.
 +2011-12-19  Sam Steingold  <sds@gnu.org>
 +
 +      * semantic/edit.el (semantic-edits-incremental-parser): Add the
 +      autoload cookie, necessary for JDEE.
 +
 +2011-12-06  Juanma Barranquero  <lekktu@gmail.com>
 +
 +      * semantic/bovine/c.el (semantic-tag-abstract-p): Fix typo.
 +
 +2011-11-26  Chong Yidong  <cyd@gnu.org>
 +
 +      * semantic/wisent/python-wy.el:
 +      * semantic/wisent/js-wy.el:
 +      * semantic/wisent/javat-wy.el:
 +      * semantic/bovine/c-by.el:
 +      * semantic/grammar-wy.el: Regenerate.
 +
 +2011-11-24  Juanma Barranquero  <lekktu@gmail.com>
 +
 +      * semantic/lex-spp.el (semantic-lex-spp-first-token-arg-list): Fix typo.
 +
 +2011-11-20  Juanma Barranquero  <lekktu@gmail.com>
 +
 +      * cedet-cscope.el (cedet-cscope-version-check):
 +      * cedet-global.el (cedet-global-min-version)
 +      (cedet-gnu-global-version-check):
 +      * cedet.el (cedet-version):
 +      * data-debug.el (data-debug-prev, data-debug-contract-current-line):
 +      * ede.el (ede-buffer-belongs-to-project-p, ede-auto-add-to-target)
 +      (ede-new, ede-invoke-method, project-edit-file-target, project-rescan)
 +      (ede-add-project-to-global-list, ede-map-all-subprojects):
 +      * inversion.el (inversion-check-version):
 +      * mode-local.el (mode-local-map-file-buffers, define-child-mode)
 +      (define-overloadable-function):
 +      * pulse.el (pulse-flag, pulse):
 +      * semantic.el (semantic-elapsed-time, semantic-parse-region)
 +      (navigate-menu):
 +      * ede/proj-comp.el (ede-compilation-program):
 +      * semantic/debug.el (semantic-debug-parser-go)
 +      (semantic-debug-parser-fail, semantic-debug-parser-quit)
 +      (semantic-debug-parser-abort):
 +      * semantic/idle.el (semantic-idle-core-handler):
 +      * semantic/bovine/debug.el (semantic-bovine-debug-error-frame):
 +      Fix typos.
 +
 +2011-11-16  Juanma Barranquero  <lekktu@gmail.com>
 +
 +      * semantic/lex.el (semantic-lex-tokens):
 +      * semantic/tag-ls.el (semantic-tag-protected-p):
 +      * srecode/mode.el (srecode-prefix-map): Fix typos.
 +
 +2011-11-15  Juanma Barranquero  <lekktu@gmail.com>
 +
 +      * ede/project-am.el (project-compile-target-command): Fix typo.
 +
 +2011-11-14  Juanma Barranquero  <lekktu@gmail.com>
 +
 +      * ede/auto.el (ede-project-autoload):
 +      * ede/proj-comp.el (ede-makefile-rule):
 +      * semantic/analyze.el (semantic-analyze-current-context):
 +      * semantic/ctxt.el (semantic-get-local-variables):
 +      * semantic/tag-ls.el (semantic-tag-calculate-parent): Fix typos.
 +
 +2011-11-03  David Engster  <dengste@eml.cc>
 +
 +      * srecode.el:
 +      * srecode/texi.el:
 +      * srecode/template.el:
 +      * srecode/java.el:
 +      * srecode/insert.el:
 +      * srecode/document.el:
 +      * srecode/dictionary.el:
 +      * srecode/compile.el:
 +      * semantic/wisent/java-tags.el:
 +      * semantic/texi.el:
 +      * semantic/sort.el:
 +      * semantic/lex-spp.el:
 +      * semantic/idle.el:
 +      * semantic/html.el:
 +      * semantic/db-typecache.el:
 +      * semantic/analyze/complete.el:
 +      * ede/generic.el:
 +      * ede/custom.el:
 +      * ede/cpp-root.el:
 +      * ede/base.el: Fix filenames in comments and headers.
 +
 +      * semantic/db-find.el:
 +      * srecode/insert.el (srecode-insert-include-lookup):
 +      * ede/proj-comp.el (ede-compilation-program): Fix it's -> its in
 +      comments and docstrings.
 +
 +      * semantic/ctxt.el (semantic-end-of-context-default):
 +      * semantic/find.el (semantic-find-tags-by-scope-protection):
 +      * semantic/java.el (semantic-documentation-for-tag): Fix typos in
 +      docstrings.
 +
 +      * semantic/db.el (semanticdb-table, semanticdb-abstract-cache)
 +      (semanticdb-abstract-db-cache):
 +      * semantic/decorate/include.el
 +      (semantic-decoration-unknown-include-describe): Fix filenames in
 +      docstring.
 +
 +      * semantic/ede-grammar.el (semantic-ede-grammar-compiler-wisent):
 +      (semantic-ede-grammar-compiler-bovine): Fix requires that are
 +      added to the grammar-make-script.
 +
 +2011-10-23  Chong Yidong  <cyd@gnu.org>
 +
 +      * ede.el (ede-maybe-checkout): Function deleted;
 +      vc-toggle-read-only does not do version control now.
 +
 +      * ede/util.el (ede-make-buffer-writable): Don't use
 +      vc-toggle-read-only.
 +
 +      * ede/project-am.el (project-remove-file, project-add-file)
 +      (project-new-target): Don't call ede-maybe-checkout.
 +
 +2011-10-19  Chong Yidong  <cyd@gnu.org>
 +
 +      * ede.el (ede-minor-mode,global-ede-mode):
 +      * semantic.el (semantic-mode): Doc fix to reflect new
 +      define-minor-mode calling behavior.
 +
 +2011-07-30  Chong Yidong  <cyd@stupidchicken.com>
 +
 +      * semantic/grammar.el (semantic-grammar-insert-defanalyzers): Fix
 +      require.
 +
 +2011-07-04  Darren Hoo  <darren.hoo@gmail.com>  (tiny change)
 +
 +      * semantic/db.el (semanticdb-file-table-object): Don't bug out on
 +      unconfigured projects if `global-ede-mode' is on (bug#8092).
 +
 +2011-07-01  Paul Eggert  <eggert@cs.ucla.edu>
 +
 +      * semantic.el (semantic-elapsed-time): Rewrite using
 +      time-subtract and float-time.
 +
 +2011-05-11  Glenn Morris  <rgm@gnu.org>
 +
 +      * semantic/wisent/javascript.el (semantic-get-local-variables):
 +      Use define-mode-local-override rather than its obsolete alias.
 +
 +2011-05-10  Jim Meyering  <meyering@redhat.com>
 +
 +      Fix doubled-word typos.
 +      * ede/pmake.el (ede-proj-makefile-garbage-patterns): the the -> the
 +      * semantic/complete.el (semantic-complete-read-tag-local-members):
 +      Likewise.
 +      * ede.el (ede-auto-add-method): then then -> then
 +
 +2011-04-23  Juanma Barranquero  <lekktu@gmail.com>
  
        * ede/pconf.el (ede-proj-tweak-autoconf, ede-proj-flush-autoconf):
        * ede/proj-comp.el (ede-proj-tweak-autoconf, ede-proj-flush-autoconf):
diff --cc lisp/cedet/ede.el
index 5f336df,c3a223f..cc8b6f5
--- 1/lisp/cedet/ede.el
--- 2/lisp/cedet/ede.el
+++ b/lisp/cedet/ede.el
@@@ -557,16 -609,76 +611,76 @@@ of objects with the `ede-want-file-p' m
  \f
  ;;; Interactive method invocations
  ;;
- (defun ede (file)
-   "Start up EDE on something.
- Argument FILE is the file or directory to load a project from."
-   (interactive "fProject File: ")
-   (if (not (file-exists-p file))
-       (ede-new file)
-     (ede-load-project-file (file-name-directory file))))
+ (defun ede (dir)
+   "Start up EDE for directory DIR.
+ If DIR has an existing project file, load it.
+ Otherwise, create a new project for DIR."
+   (interactive
+    ;; When choosing a directory to turn on, and we see some directory here,
+    ;; provide that as the default.
+    (let* ((top (ede-toplevel-project default-directory))
+         (promptdflt (or top default-directory)))
+      (list (read-directory-name "Project directory: "
+                               promptdflt promptdflt t))))
+   (unless (file-directory-p dir)
+     (error "%s is not a directory" dir))
+   (when (ede-directory-get-open-project dir)
+     (error "%s already has an open project associated with it" dir))
+   ;; Check if the directory has been added to the list of safe
+   ;; directories.  It can also add the directory to the safe list if
+   ;; the user chooses.
+   (if (ede-check-project-directory dir)
+       (progn
+       ;; If there is a project in DIR, load it, otherwise do
+       ;; nothing.
+       (ede-load-project-file dir)
+       ;; Check if we loaded anything on the previous line.
+       (if (ede-current-project dir)
+           ;; We successfully opened an existing project.  Some open
+           ;; buffers may also be referring to this project.
+           ;; Resetting all the buffers will get them to also point
+           ;; at this new open project.
+           (ede-reset-all-buffers 1)
+         ;; ELSE
+         ;; There was no project, so switch to `ede-new' which is how
+         ;; a user can select a new kind of project to create.
+         (let ((default-directory (expand-file-name dir)))
+           (call-interactively 'ede-new))))
+     ;; If the proposed directory isn't safe, then say so.
+     (error "%s is not an allowed project directory in `ede-project-directories'"
+          dir)))
+ (defun ede-check-project-directory (dir)
+   "Check if DIR should be in `ede-project-directories'.
+ If it is not, try asking the user if it should be added; if so,
+ add it and save `ede-project-directories' via Customize.
+ Return nil iff DIR should not be in `ede-project-directories'."
+   (setq dir (directory-file-name (expand-file-name dir))) ; strip trailing /
+   (or (eq ede-project-directories t)
+       (and (functionp ede-project-directories)
+          (funcall ede-project-directories dir))
+       ;; If `ede-project-directories' is a list, maybe add it.
+       (when (listp ede-project-directories)
+       (or (member dir ede-project-directories)
+           (when (y-or-n-p (format "`%s' is not listed in `ede-project-directories'.
+ Add it to the list of allowed project directories? "
+                                   dir))
+             (push dir ede-project-directories)
+             ;; If possible, save `ede-project-directories'.
+             (if (or custom-file user-init-file)
+                 (let ((coding-system-for-read nil))
+                   (customize-save-variable
+                    'ede-project-directories
+                    ede-project-directories)))
+             t)))))
  
  (defun ede-new (type &optional name)
 -  "Create a new project starting of project type TYPE.
 +  "Create a new project starting from project type TYPE.
  Optional argument NAME is the name to give this project."
    (interactive
     (list (completing-read "Project Type: "
diff --cc lisp/cedet/ede/auto.el
Simple merge
diff --cc lisp/cedet/ede/simple.el
Simple merge
Unnamed repository; edit this file 'description' to name the repository.