On Thu, Sep 08, 2022 at 12:34:25PM +0000, Fedja Beader wrote: > Hello Richard, Ihor and Steven, > > I'm aware that file-local variables exist, but it seems that > all documentation for them put them *into the file*, which is not secure for > files downloaded from the internet. What is to stop a malicious file from > setting an "yes, execute me automatically" variable?
While loading the file, only "safe variables" are set without warning (actually it's a bit more complex: specific variable- value pairs can be marked as "safe". See e.g. "12.12 File Local Variables" in the elisp manual. Cheers -- t
signature.asc
Description: PGP signature
