mirror of
https://github.com/doomemacs/doomemacs
synced 2025-08-01 12:17:25 -05:00
4418c80c95
CVE-2024-53920 describes an arbitrary code execution vulnerability during macro expansion, which occurs during byte-compilation or when evaluating macro calls in uncompiled elisp files. Flycheck and flymake use byte-compilation to lint elisp files, exposing users to this vulnerability. This commit attempts to protect users from this by disabling both in elisp files that aren't part of a project (because, presumably, untrusted elisp won't live in a project). What a "project" is depends on your projectile settings, but generally means a file that lives in a version controlled directory and/or a directory containing a recognizable project root marker (like a packages.json or Cargo.toml file). This heuristic won't catch cases of untrusted elisp living within legitimate projects, or the case where the user's $HOME is a project and *all* their elisp files live under it, but there are already too many ways to shoot yourself in the foot with Emacs to begin with, and disabling fly(check|make) altogether stands a higher chance of making people blindly re-enable them to "work around" the fact it's not "working as expected", bringing them back to square one. Anyhow, long story short, don't open elisp files you don't trust in Emacs, mkay? Ref: CVE-2024-53920
:checkers
Description
For modules dedicated to linting plain text (primarily code and prose).
Frequently asked questions
This category has no FAQs yet. Ask one?