New major mode "SES" for spreadsheets.

New function (unsafep X) determines whether X is a safe Lisp form.
New support module testcover.el for coverage testing.

3 files changed, 115 insertions, 7 deletions

diff --git a/lispref/ChangeLog b/lispref/ChangeLog
index 12b4b1a7132..6fb511796bf 100644
--- a/lispref/ChangeLog
+++ b/lispref/ChangeLog
@@ -1,3 +1,12 @@
+2002-09-16  Jonathan Yavner  <jyavner@engineer.com>
+
+	* variables.texi (File Local Variables): New function
+	risky-local-variable-p.
+
+2002-09-15  Jonathan Yavner  <jyavner@engineer.com>
+
+	* functions.texi (Function safety): New node about unsafep.
+
 2002-08-05  Per Abrahamsen  <abraham@dina.kvl.dk>
 
 	* customize.texi (Splicing into Lists): Fixed example.
diff --git a/lispref/functions.texi b/lispref/functions.texi
index 67d68e40a9a..ece586f79e4 100644
--- a/lispref/functions.texi
+++ b/lispref/functions.texi
@@ -22,6 +22,7 @@ define them.
 * Function Cells::        Accessing or setting the function definition
                             of a symbol.
 * Inline Functions::	  Defining functions that the compiler will open code.
+* Function safety::       Determining whether a function is safe to call.
 * Related Topics::        Cross-references to specific Lisp primitives
                             that have a special bearing on how functions work.
 @end menu
@@ -1157,6 +1158,95 @@ do for macros.  (@xref{Argument Evaluation}.)
 Inline functions can be used and open-coded later on in the same file,
 following the definition, just like macros.
 
+@node Function safety
+@section Determining whether a function is safe to call
+@cindex function safety
+@cindex safety of functions
+@cindex virus detection
+@cindex Trojan-horse detection
+@cindex DDoS attacks
+
+Some major modes such as SES (see @pxref{Top,,,ses}) will call
+functions that are stored in user files.  User files sometimes have
+poor pedigrees---you can get a spreadsheet from someone you've just
+met, or you can get one through email from someone you've never met.
+Such files can contain viruses and other Trojan horses that could
+corrupt your operating system environment, delete your files, or even
+turn your computer into a DDoS zombie!  To avoid this terrible fate,
+you should not call a function whose source code is stored in a user
+file until you have determined that it is safe.
+
+@defun unsafep form &optional unsafep-vars
+Returns nil if @var{form} is a @dfn{safe} lisp expression, or returns
+a list that describes why it might be unsafe.  The argument
+@var{unsafep-vars} is a list of symbols known to have temporary
+bindings at this point; it is mainly used for internal recursive
+calls.  The current buffer is an implicit argument, which provides a
+list of buffer-local bindings.
+@end defun
+
+Being quick and simple, @code{unsafep} does a very light analysis and
+rejects many Lisp expressions that are actually safe.  There are no
+known cases where @code{unsafep} returns nil for an unsafe expression.
+However, a ``safe'' Lisp expression can return a string with a
+@code{display} property, containing an associated Lisp expression to
+be executed after the string is inserted into a buffer.  This
+associated expression can be a virus.  In order to be safe, you must
+delete properties from all strings calculated by user code before
+inserting them into buffers.
+
+What is a safe Lisp expression?  Basically, it's an expression that
+calls only built-in functions with no side effects (or only innocuous
+ones).  Innocuous side effects include displaying messages and
+altering non-risky buffer-local variables (but not global variables).
+
+@table @dfn
+@item Safe expression
+@itemize
+@item
+An atom or quoted thing.
+@item
+A call to a safe function (see below), if all its arguments are
+safe expressions.
+@item
+One of the special forms [and, catch, cond, if, or, prog1, prog2,
+progn, while, unwind-protect], if all its arguments are safe.
+@item
+A form that creates temporary bindings [condition-case, dolist,
+dotimes, lambda, let, let*], if all args are safe and the symbols to
+be bound are not explicitly risky (see @pxref{File Local Variables}).
+@item
+An assignment [add-to-list, setq, push, pop], if all args are safe and
+the symbols to be assigned are not explicitly risky and they already
+have temporary or buffer-local bindings.
+@item
+One of [apply, mapc, mapcar, mapconcat] if the first argument is a
+safe explicit lambda and the other args are safe expressions.
+@end itemize
+
+@item Safe function
+@itemize
+@item
+A lambda containing safe expressions.
+@item
+A symbol on the list @code{safe-functions}, so the user says it's safe.
+@item
+A symbol with a non-nil @code{side-effect-free} property.
+@item
+A symbol with a non-nil @code{safe-function} property.  Value t
+indicates a function that is safe but has innocuous side effects.
+Other values will someday indicate functions with classes of side
+effects that are not always safe.
+@end itemize
+
+The @code{side-effect-free} and @code{safe-function} properties are
+provided for built-in functions and for low-level functions and macros
+defined in @file{subr.el}.  You can assign these properties for the
+functions you write.
+
+@end table
+
+
 @c Emacs versions prior to 19 did not have inline functions.
 
 @node Related Topics
diff --git a/lispref/variables.texi b/lispref/variables.texi
index dbb4f730245..3168e47b4e4 100644
--- a/lispref/variables.texi
+++ b/lispref/variables.texi
@@ -1738,15 +1738,20 @@ be called later, or an expression that will be executed later, simply
 visiting a file could take over your Emacs.  To prevent this, Emacs
 takes care not to allow local variable lists to set such variables.
 
-  For one thing, any variable whose name ends in @samp{-function},
-@samp{-functions}, @samp{-hook}, @samp{-hooks}, @samp{-form},
-@samp{-forms}, @samp{-program}, @samp{-command} or @samp{-predicate}
-cannot be set in a local variable list.  In general, you should use such
-a name whenever it is appropriate for the variable's meaning.
+  For one thing, any variable whose name ends in @samp{-command},
+@same{-frame-alist}, @samp{-function}, @samp{-functions},
+@samp{-hook}, @samp{-hooks}, @samp{-form}, @samp{-forms}, @samp{-map},
+@samp{-map-alist}, @samp{-mode-alist}, @samp{-program}, or
+@samp{-predicate} cannot be set in a local variable list.  In general,
+you should use such a name whenever it is appropriate for the
+variable's meaning.  The variables @samp{font-lock-keywords},
+@samp{font-lock-keywords-[0-9]}, and
+@samp{font-lock-syntactic-keywords} cannot be set in a local variable
+list, either.
 
   In addition, any variable whose name has a non-@code{nil}
-@code{risky-local-variable} property is also ignored.  So are
-all variables listed in @code{ignored-local-variables}:
+@code{risky-local-variable} property is also ignored.  So are all
+variables listed in @code{ignored-local-variables}:
 
 @defvar ignored-local-variables
 This variable holds a list of variables that should not be
@@ -1754,6 +1759,10 @@ set by a file's local variables list.  Any value specified
 for one of these variables is ignored.
 @end defvar
 
+@defun risky-local-variable-p sym
+Returns non-nil if @var{sym} is risky for any of the reasons stated above.
+@end defun
+
   The @samp{Eval:} ``variable'' is also a potential loophole, so Emacs
 normally asks for confirmation before handling it.