the file-local-variable feature (Yes, a risk, but easy to change.)
There is an Emacs feature that allows the setting of local values for
variables when editing a file by including specially formatted text near
the end of the file. This feature also includes the ability to have
arbitrary Emacs Lisp code evaluated when the file is visited.
Obviously, there is a potential for Trojan horses to exploit this
If you set the variable inhibit-local-variables to a non-nil value,
Emacs will display the special local variable settings of a file that
you visit and ask you if you really want them. This variable is not
mentioned in the manual.
It is wise to do this in lisp/site-init.el before building Emacs:
(setq inhibit-local-variables t)
If Emacs has already been built, the expression can be put in
lisp/default.el instead, or an individual can put it in their own .emacs
The ability to exploit this feature by sending e-mail to an RMAIL user
was fixed sometime after Emacs 18.52. However, any new package that
uses find-file or find-file-noselect has to be careful about this.
For more information, see `File Variables' in the online manual (which,
incidentally, does not describe how to disable the feature).
There is a new variable in Emacs 18.58 named ignore-local-eval which
turns out to be useless as currently implemented. Ignore it.