15

I inherited my .emacs file from a friend about 18 years ago. Buried in the middle is the following ominous comment warning about the security implications of the enable-local-variables feature:

;; Date: Wed, 7 Dec 1994 11:57:50 -0600
;; From: blob@syl.dl.nec.com (David Blob)
;; Subject: Self-extracting emacs elisp code
;;
;; With all this talk about self extracting mail "viruses", a friend
;; showed me that in emacs (which I use to read mail, along with vm)
;; has the ability to self-extract elisp code. This feature seems to
;; be turned on by default, and it not only applies to mail read with
;; emacs, but rather every file visited (when the feature is on, of
;; course).
;;
;; The way it works is by having a line which reads "Local Variables:"
;; followed by the lisp variables you would like to set...well, it may
;; seem petty, but you can execute programs, make connections and much
;; more through cleverly written elisp code contained within.
;;
;; It's simple to turn off, at any rate...
;;
;; (setq enable-local-variables  f) ;; turns off feature  (in emacs 19)
;; (setq enable-local-variables  1) ;; makes it ask first (in emacs 19)
;; (setq inhibit-local-variables t) ;; turns off feature  (in emacs 18)
;;
;; Anyhow, I think the risks here speak for themselves...
;;
(setq enable-local-variables '())

So I've never actually used the local-variables feature even though it seems like it could be pretty useful. Is there a way to enable-local-variables that does something useful without exposing me to arbitrary code-injection attacks?

Gilles 'SO- stop being evil'
  • 21,702
  • 4
  • 53
  • 89
Wandering Logic
  • 253
  • 2
  • 7

2 Answers2

18

18 years ago, you were right to be worried. But time has marched on. Since Emacs 22, there is a decent built-in mechanism to whitelist safe local variables. The details are documented in the Emacs Lisp manual. The most important aspects are:

  • Lisp authors can declare safe values for each variable. This is a whitelist: if the Lisp programmer hasn't done anything special, all values are considered unsafe.
  • If enable-local-variables is set to t (the default), Emacs will automatically set safe values and prompt for confirmation if a file attempts to set an unsafe value. Once the user has approved a value for a given variable, this is automatically recorded and Emacs will not ask again about the same value for the same variable.
  • If enable-local-variables is set to :safe, Emacs will automatically set safe values and ignore the others.

So you can keep the default setting if you don't mind being prompted, or use (setq enable-local-variables :safe) to get the common benefits (indent style, timestamp format, etc.) with no risk and no user interface encroachment.

Gilles 'SO- stop being evil'
  • 21,702
  • 4
  • 53
  • 89
10

Emacs is pretty safe when it comes to local variables. It does not actually evaluate anything for file- or directory-local variables, it only parses Lisp syntax. Also, a variable has to be declared "safe" before it will be set by Emacs, and that declaration also includes a predicate. So a variable can say "a file may set this, but only if it is a string".

This means that you can safely enable local variables. You can actually just leave the default value of t – Emacs will ask you about whether it should set variables that it does not deem safe, and you can examine those first.

Make sure you do not set this variable to :all, and do look at the values of variables first before setting them if Emacs asks you. You can use :safe to only set variables that Emacs deems safe and ignore the rest, but you can miss out on some stuff this way.

Jorgen Schäfer
  • 3,899
  • 2
  • 17
  • 19