[RFC] [PATCH] allow bind keywords to set safe values

emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed

From: Aaron Ecay <aaronecay@gmail.com>
To: orgmode <emacs-orgmode@gnu.org>
Subject: [RFC] [PATCH] allow bind keywords to set safe values
Date: Fri, 06 Nov 2015 18:09:28 +0000	[thread overview]
Message-ID: <8737wjuhif.fsf@gmail.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 643 bytes --]

Hello all,

BIND keywords should be used for controlling export, rather than the
usual emacs method of setting file local variables
<http://mid.gmane.org/87eglcbv7g.fsf@selenimh.access.network>.  But,
BIND keywords are currently disabled by default.  We can’t turn these on
by default, as maliciously crafted documents could do nasty things to a
user’s emacs.  The attached patch permits many interesting usages of
BIND keywords by allowing them to set variables by default, as long as
the value thus set is safe (as implemented by emacs’s default file local
variable code).

Comments welcome.

Thanks,

-- 
Aaron Ecay

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Allow-bind-keywords-to-set-safe-values.patch --]
[-- Type: text/x-diff, Size: 4259 bytes --]

From a0650372cafa6debf1465624c2cc23dd01aa7083 Mon Sep 17 00:00:00 2001
From: Aaron Ecay <aaronecay@gmail.com>
Date: Fri, 6 Nov 2015 17:51:09 +0000
Subject: [PATCH] Allow bind keywords to set safe values

* lisp/ox.el (org-export-allow-bind-keywords): Add new `safe' value.
(org-export--list-bound-variables): Use it.
* doc/org.texi (Export settings): Update doc.
---
 doc/org.texi | 18 +++++++++++++++---
 lisp/ox.el   | 20 ++++++++++++++++----
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/doc/org.texi b/doc/org.texi
index c57cc41..6abf5ad 100644
--- a/doc/org.texi
+++ b/doc/org.texi
@@ -10708,6 +10708,7 @@ properties (@pxref{Properties and columns}).  Options set at a specific level
 override options set at a more general level.
 
 @cindex #+SETUPFILE
+@anchor{SETUPFILE}
 In-buffer settings may appear anywhere in the file, either directly or
 indirectly through a file included using @samp{#+SETUPFILE: filename} syntax.
 Option keyword sets tailored to a particular back-end can be inserted from
@@ -10948,9 +10949,20 @@ properties.
 @cindex #+BIND
 @vindex org-export-allow-bind-keywords
 If @code{org-export-allow-bind-keywords} is non-@code{nil}, Emacs variables
-can become buffer-local during export by using the BIND keyword.  Its syntax
-is @samp{#+BIND: variable value}.  This is particularly useful for in-buffer
-settings that cannot be changed using specific keywords.
+can become buffer-local during export by using the BIND keyword.  Setting the
+variable to @code{t} allows variables to take on all values.  Setting it to
+the symbol @code{safe} (the default) only allows safe values.  (@pxref{Safe
+File Variables,,,emacs,The Emacs Manual}) The syntax of a BIND keyword is
+@samp{#+BIND: variable value}.  The text of @samp{value} will be passed to
+the elisp @code{read} function.@footnote{This means that strings should be
+surrounded with double quotes, but symbols and lists will be read literally
+and need not be quoted for lisp with a single quote.}  The BIND keyword is
+particularly useful for in-buffer settings that cannot be changed using
+specific keywords.@footnote{You should not use the usual emacs local variable
+convention (@pxref{Specifying File Variables,,,emacs,The Emacs Manual}),
+because these notations could be lost during the export process.}  It is also
+useful for collecting common variable settings in a setup file shared between
+several documents (@pxref{SETUPFILE}).
 
 @cindex property, EXPORT_FILE_NAME
 The name of the output file to be generated is taken from the file associated
diff --git a/lisp/ox.el b/lisp/ox.el
index eb1af9b..e257c1f 100644
--- a/lisp/ox.el
+++ b/lisp/ox.el
@@ -832,14 +832,22 @@ can also be set with the OPTIONS keyword, e.g.  \"todo:nil\"."
   :group 'org-export-general
   :type 'boolean)
 
-(defcustom org-export-allow-bind-keywords nil
+(defcustom org-export-allow-bind-keywords 'safe
   "Non-nil means BIND keywords can define local variable values.
 This is a potential security risk, which is why the default value
-is nil.  You can also allow them through local buffer variables."
+is nil.  You can also allow them through local buffer variables.
+
+See the documentation for `safe-local-variable-p' and the
+node (info \"(emacs) Safe File Variables\") for information on
+the safety setting."
   :group 'org-export-general
   :version "24.4"
   :package-version '(Org . "8.0")
-  :type 'boolean)
+  :type '(choice
+	  (const :tag "Never" nil)
+	  (const :tag "Only if safe" safe)
+	  (const :tag "Always" t))
+  :safe (lambda (x) (memq x '(nil safe))))
 
 (defcustom org-export-with-broken-links nil
   "Non-nil means do not raise an error on broken links.
@@ -1646,7 +1654,11 @@ an alist where associations are (VARIABLE-NAME VALUE)."
 			 (let ((val (org-element-property :value element)))
 			   (if (equal (org-element-property :key element)
 				      "BIND")
-			       (push (read (format "(%s)" val)) alist)
+			       (let* ((pair (read (format "(%s)" val))))
+				 (when (or (eq org-export-allow-bind-keywords t)
+					   (safe-local-variable-p
+					    (nth 0 pair) (nth 1 pair)))
+				   (push pair alist)))
 			     ;; Enter setup file.
 			     (let ((file (expand-file-name
 					  (org-remove-double-quotes val))))
-- 
2.6.2

next             reply	other threads:[~2015-11-06 18:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-06 18:09 Aaron Ecay [this message]
2015-11-06 20:13 ` [RFC] [PATCH] allow bind keywords to set safe values Thomas S. Dye
2015-11-07 12:40   ` Aaron Ecay
2015-11-06 20:36 ` Nicolas Goaziou
2015-11-07 12:19   ` Aaron Ecay

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:c57cc41 dfblob:eb1af9b dfblob:6abf5ad dfblob:e257c1f
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8737wjuhif.fsf@gmail.com \
    --to=aaronecay@gmail.com \
    --cc=emacs-orgmode@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).