trusted-content: Adjust the last patch based on preliminary feedback

* lisp/files.el (trusted-content): Rename from `trusted-files`. Update all references. * lisp/progmodes/elisp-mode.el (lisp-interaction-mode): * lisp/ielm.el (inferior-emacs-lisp-mode): * lisp/simple.el (read--expression): Set `trusted-content` since these buffers contain code that the user presumably intends to run anyway. (elisp--safe-macroexpand-all): Make the warning more discreet.
2024-12-15 17:05:55 -05:00 · 2024-12-15 17:05:55 -05:00 · 8b6c6cffd1
commit 8b6c6cffd1
parent 69b16e5c63
5 changed files with 14 additions and 10 deletions
--- a/etc/NEWS
+++ b/etc/NEWS
@ -199,7 +199,7 @@ see the variable 'url-request-extra-headers'.

 * Changes in Emacs 30.1

-** New user option 'trusted-files' to allow potentially dangerous features.
+** New user option 'trusted-content' to allow potentially dangerous features.
 This variable lists those files and directories whose content Emacs should
 consider as sufficiently trusted to run any part of the code contained
 therein even without any explicit user request.
@ -1869,7 +1869,7 @@ In the past they included a terminating newline in most cases but not all.

 *** 'elisp-flymake-byte-compile' is disabled for untrusted files.
 For security reasons, this backend can be used only in those files
-specified as trusted according to 'trusted-files' and emits an
+specified as trusted according to 'trusted-content' and emits an
 "untrusted content" warning otherwise.
 This fixes CVE-2024-53920.

--- a/lisp/files.el
+++ b/lisp/files.el
@ -714,7 +714,7 @@ buffer contents as untrusted.
 This variable might be subject to change without notice.")
 (put 'untrusted-content 'permanent-local t)

-(defcustom trusted-files nil
+(defcustom trusted-content nil
  "List of files and directories whose content we trust.
 Be extra careful here since trusting means that Emacs might execute the
 code contained within those files and directories without an explicit
@ -732,12 +732,12 @@ all files, which opens a gaping security hole."
  :type '(choice (repeat :tag "List" file)
                 (const :tag "Trust everything (DANGEROUS!)" :all))
  :version "30.1")
-(put 'trusted-files 'risky-local-variable t)
+(put 'trusted-content 'risky-local-variable t)

 (defun trusted-content-p ()
  "Return non-nil if we trust the contents of the current buffer.
 Here, \"trust\" means that we are willing to run code found inside of it.
-See also `trusted-files'."
+See also `trusted-content'."
  ;; We compare with `buffer-file-truename' i.s.o `buffer-file-name'
  ;; to try and avoid marking as trusted a file that's merely accessed
  ;; via a symlink that happens to be inside a trusted dir.
@ -746,14 +746,14 @@ See also `trusted-files'."
       (with-demoted-errors "trusted-content-p: %S"
         (let ((exists (file-exists-p buffer-file-truename)))
           (or
-            (eq trusted-files :all)
+            (eq trusted-content :all)
            ;; We can't avoid trusting the user's init file.
            (if (and exists user-init-file)
                (file-equal-p buffer-file-truename user-init-file)
              (equal buffer-file-truename user-init-file))
            (let ((file (abbreviate-file-name buffer-file-truename))
                  (trusted nil))
-              (dolist (tf trusted-files)
+              (dolist (tf trusted-content)
                (when (or (if exists (file-equal-p tf file) (equal tf file))
                          ;; We don't use `file-in-directory-p' here, because
                          ;; we want to err on the conservative side: "guilty
--- a/lisp/ielm.el
+++ b/lisp/ielm.el
@ -580,6 +580,7 @@ Customized bindings may be defined in `ielm-map', which currently contains:
       ielm-fontify-input-enable
       (comint-fontify-input-mode))

+  (setq-local trusted-content :all)
  (setq comint-prompt-regexp (concat "^" (regexp-quote ielm-prompt)))
  (setq-local paragraph-separate "\\'")
  (setq-local paragraph-start comint-prompt-regexp)
--- a/lisp/progmodes/elisp-mode.el
+++ b/lisp/progmodes/elisp-mode.el
@ -457,8 +457,9 @@ use of `macroexpand-all' as a way to find the \"underlying raw code\".")
      (progn
        (when elisp--macroexpand-untrusted-warning
          (setq-local elisp--macroexpand-untrusted-warning nil) ;Don't spam!
-          (message "Completion of local vars is disabled in %s (untrusted content)"
-                   (buffer-name)))
+          (let ((inhibit-message t))      ;Only log.
+            (message "Completion of local vars is disabled in %s (untrusted content)"
+                     (buffer-name))))
        sexp)
    (let ((macroexpand-advice
           (lambda (expander form &rest args)
@ -1336,7 +1337,8 @@ Semicolons start comments.

 \\{lisp-interaction-mode-map}"
  :abbrev-table nil
-  (setq-local lexical-binding t))
+  (setq-local lexical-binding t)
+  (setq-local trusted-content :all))

 ;;; Emacs Lisp Byte-Code mode

--- a/lisp/simple.el
+++ b/lisp/simple.el
@ -2033,6 +2033,7 @@ function `read-from-minibuffer'."
        (set-syntax-table emacs-lisp-mode-syntax-table)
        (add-hook 'completion-at-point-functions
                  #'elisp-completion-at-point nil t)
+        (setq-local trusted-content :all)
        (run-hooks 'eval-expression-minibuffer-setup-hook))
    (read-from-minibuffer prompt initial-contents
                          read--expression-map t