• Eric M. Ludlam's avatar
    Fix EDE security flaw involving loading arbitrary Lisp from Project.ede. · 6e9ddbb3
    Eric M. Ludlam authored
    * lisp/ede.el (ede-project-directories): New option.
    (ede-directory-safe-p): Check it.
    (ede-initialize-state-current-buffer, ede, ede-new)
    (ede-check-project-directory, ede-rescan-toplevel)
    (ede-load-project-file, ede-parent-project, ede-current-project):
    (ede-target-parent): Avoid loading in a project unless it is safe,
    since it may involve malicious code.  This security flaw was
    pointed out by Hiroshi Oota.
    
    * lisp/ede/auto.el (ede-project-autoload): Add safe-p slot.
    (ede-project-class-files): Projects using Project.ede are unsafe.
    (ede-auto-load-project): New method.
    
    * lisp/ede/simple.el (ede-project-class-files): Mark as unsafe.
    6e9ddbb3
ede.el 48 KB