branch: elpa/hyperdrive
commit 261277b30ff560ec40158ee45e380b0200d22fbf
Author: Joseph Turner <jos...@ushin.org>
Commit: Joseph Turner <jos...@ushin.org>
Add: (h/safe-hyperdrives) Whitelist to automatically load major mode
Replaces h/automatic-major-mode. As discussed in
<https://todo.sr.ht/~ushin/ushin/188>, automatically loading a major
mode poses security hazards.
---
CHANGELOG.org | 6 ++++++
doc/hyperdrive.org | 9 ++++++---
doc/hyperdrive.texi | 9 ++++++---
hyperdrive-lib.el | 3 ++-
hyperdrive-vars.el | 10 +++++++---
hyperdrive.el | 3 ++-
6 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/CHANGELOG.org b/CHANGELOG.org
index 407499d7cb..d982ad00e2 100644
--- a/CHANGELOG.org
+++ b/CHANGELOG.org
@@ -6,6 +6,12 @@ This project adheres to
[[https://semver.org/spec/v2.0.0.html][Semantic Versioni
* 0.4-pre
+** Security
+
+- By default, don't automatically load major mode when browsing
+ hyperdrive files. To enable this behavior for certain trusted
+ hyperdrives, see user option ~h/safe-hyperdrives~.
+
** Added
- When visiting an old version of a hyperdrive file, press ~n~ and ~p~ to
diff --git a/doc/hyperdrive.org b/doc/hyperdrive.org
index cb0b6498a6..8817fdcb93 100644
--- a/doc/hyperdrive.org
+++ b/doc/hyperdrive.org
@@ -296,10 +296,13 @@ default:
The following customization options affect how files are displayed:
-- User Option: hyperdrive-honor-auto-mode-alist ::
+- User Option: hyperdrive-safe-hyperdrives ::
- If non-~nil~, use file extension of hyperdrive file to set ~major-mode~.
- Defaults to ~t~.
+ List of hyperdrive public keys to be considered safe. When a
+ hyperdrive is considered safe, browsing files within it will cause a
+ major code to automatically load, running code that could
+ potentially cause harm on your system. Please be careful when
+ adding a trusted public key to this list.
- User Option: hyperdrive-render-html ::
diff --git a/doc/hyperdrive.texi b/doc/hyperdrive.texi
index 4815c0b5d6..e47ff36557 100644
--- a/doc/hyperdrive.texi
+++ b/doc/hyperdrive.texi
@@ -523,9 +523,12 @@ directory buffer. This command remaps the global
@code{dired-jump} keybinding.
The following customization options affect how files are displayed:
-@defopt hyperdrive-honor-auto-mode-alist
-If non-@code{nil}, use file extension of hyperdrive file to set
@code{major-mode}.
-Defaults to @code{t}.
+@defopt hyperdrive-safe-hyperdrives
+List of hyperdrive public keys to be considered safe. When a
+hyperdrive is considered safe, browsing files within it will cause a
+major code to automatically load, running code that could
+potentially cause harm on your system. Please be careful when
+adding a trusted public key to this list.
@end defopt
@defopt hyperdrive-render-html
diff --git a/hyperdrive-lib.el b/hyperdrive-lib.el
index fa3e64e9b3..ddac1e80f2 100644
--- a/hyperdrive-lib.el
+++ b/hyperdrive-lib.el
@@ -1327,7 +1327,8 @@ If then, then call THEN with no arguments. Default
handler."
(or (not (h/writablep hyperdrive)) version))
(set-buffer-modified-p nil)
(set-visited-file-modtime (current-time))))
- (when h/honor-auto-mode-alist
+ (when (member (hyperdrive-public-key hyperdrive)
+ h/safe-hyperdrives)
(let ((buffer-file-name (he/name entry)))
(set-auto-mode)))
(when target
diff --git a/hyperdrive-vars.el b/hyperdrive-vars.el
index 26be9fa6d5..672e3106ba 100644
--- a/hyperdrive-vars.el
+++ b/hyperdrive-vars.el
@@ -44,9 +44,13 @@
"Port to use to send requests to the hyper-gateway-ushin server."
:type 'natnum)
-(defcustom h/honor-auto-mode-alist t
- "If non-nil, use file extension of hyperdrive file to set `major-mode'."
- :type 'boolean)
+(defcustom h/safe-hyperdrives nil
+ "List of hyperdrive public keys to be considered safe.
+When a hyperdrive is considered safe, browsing files within it
+will cause a major code to automatically load."
+ ;; TODO: Append these public keys to `org-safe-remote-resources' in a setter?
+ ;; TODO: Use this variable to also load dir- and file-local variables
specified in a hyperdrive?
+ :type '(repeat string))
(defcustom h/persist-location nil
;; TODO: Consider using XDG locations for this, as well as storing
diff --git a/hyperdrive.el b/hyperdrive.el
index 7b474f696e..196d041681 100644
--- a/hyperdrive.el
+++ b/hyperdrive.el
@@ -451,7 +451,8 @@ use, see `hyperdrive-write'."
(with-current-buffer buffer
(unless h/mode
(h//clean-buffer)
- (when h/honor-auto-mode-alist
+ (when (member (hyperdrive-public-key hyperdrive)
+ h/safe-hyperdrives)
(let ((buffer-file-name (he/name entry)))
(set-auto-mode)))
(h/mode))
