[slime-devel] security and presentations

Helmut Eller heller at common-lisp.net
Sat Sep 10 13:47:42 UTC 2005


* Matthias Koeppe [2005-09-10 14:49+0200] writes:

> Alan Ruttenberg <alanr-l at mumble.net> writes:
>
>> I'd like to reinstate the ability have the lisp side be able to
>> evaluate arbitrary forms from presentation menus. If there is a
>> security issue for some I think it would be better handled by having a
>> switch to disable evaluation of these forms, with the default being
>> that they are evaluated.

I don't quite understand why a menu has to evaluate arbitrary ELisp
code.  Shouldn't Emacs just tell Lisp which menu item was selected?
Or is needed for the kind of stuff people do with javascript in
web-browsers?

BTW, are presentations of any use to people who don't use a mouse with
Emacs?

> I had implemented such a switch for the protocol message
> `evaluate-in-emacs'.  In my opinion, if a presentation-menu action 
> wants to evaluate a form in Emacs, it should simply call
> `evaluate-in-emacs'.  This simplifies the menu protocol.
>
> However, Helmut has removed `evaluate-in-emacs' completely.
>
> Helmut, could you comment whether it would be acceptable for you if we
> re-introduce evaluate-in-emacs (together with the security switch
> `slime-enable-evaluate-in-emacs').  It seems to be a feature that is
> useful for Alan (and others).  (However, I think that the default
> should be a secure one, and that no default SLIME functionality should
> depend on it.)

evaluate-in-emacs was redundant because there is already a
swank:eval-in-emacs resp. slime-eval-for-lisp.

The "security" switch sounds a bit academic/useless to me, but I don't
mind if you add one.

Helmut.



More information about the slime-devel mailing list