From ed94d3450cbb6ec7a31d9aa37efb7fe93d0559cf Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 12 Apr 2019 12:27:39 +1000 Subject: users-guide: document :set local-config Document the ':set local-config' command and add a warning about sourcing untrusted local .ghci scripts. Related: https://gitlab.haskell.org/ghc/ghc/issues/6017 Related: https://gitlab.haskell.org/ghc/ghc/issues/14250 --- docs/users_guide/ghci.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'docs/users_guide') diff --git a/docs/users_guide/ghci.rst b/docs/users_guide/ghci.rst index 28d3a4f5ee..e0523161ea 100644 --- a/docs/users_guide/ghci.rst +++ b/docs/users_guide/ghci.rst @@ -2649,6 +2649,17 @@ commonly used commands. Sets the command used by :ghci-cmd:`:edit` to ⟨cmd⟩. +.. ghci-cmd:: :set local-config; ⟨source|ignore⟩ + + If ``ignore``, :file:`./.ghci` files will be ignored (sourcing + untrusted local scripts is a security risk). The default is + ``source``. Set this directive in your user :file:`.ghci` + script, i.e. before the local script would be sourced. + + Even when set to ``ignore``, a local script will still be + processed if given by :ghc-flag:`-ghci-script` on the command + line, or sourced via :ghci-cmd:`:script`. + .. ghci-cmd:: :set prog; ⟨prog⟩ .. index:: @@ -3133,6 +3144,12 @@ three subdirectories A, B and C, you might put the following lines in fact it works to set it using :ghci-cmd:`:set` like this. The changes won't take effect until the next :ghci-cmd:`:load`, though.) +.. warning:: + Sourcing untrusted :file:`./.ghci` files is a security risk. + They can contain arbitrary commands that will be executed as the + user. Use :ghci-cmd:`:set local-config` to inhibit the + processing of :file:`./.ghci` files. + Once you have a library of GHCi macros, you may want to source them from separate files, or you may want to source your ``.ghci`` file into your running GHCi session while debugging it -- cgit v1.2.1