Opened 2 years ago

Last modified 2 years ago

#14250 new bug

GHCi by default opens .ghci files in local directories.

Reported by: merijn Owned by:
Priority: normal Milestone:
Component: GHCi Version: 8.2.1
Keywords: Cc: davean
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: None/Unknown Test Case:
Blocked By: Blocking:
Related Tickets: Differential Rev(s):
Wiki Page:

Description

During a discussion on IRC I learned that ghci still opens .ghci in local directories by default (I think I raised this issue before). This means that if I'm looking through the source of an untrusted Haskell repo I can get my machine owned by simply running ghci. Now for simple shell use I could get solve this by aliasing ghci to ghci -ignore-dot-files -ghci-script ~/.ghci, but there are a lot of editor/IDE tools that also run ghci that wouldn't use this alias.

Some sensible solutions that spring to mind are: 1) Only load ~/.ghci by default and add a flag that enables scanning local files. 2) Adding ghci commands to enable/disable loading local .ghci files in the ghci prompt and change the load order of .ghci files so that ~/.ghci loads first and can enable/disable loading local files.

Change History (1)

comment:1 Changed 2 years ago by davean

Cc: davean added
Note: See TracTickets for help on using tickets.