From mboxrd@z Thu Jan  1 00:00:00 1970
From: Nicolas Goaziou <mail@nicolasgoaziou.fr>
Subject: Re: Org campture recursively expands %-escapes
Date: Thu, 26 Nov 2015 13:54:18 +0100
Message-ID: <874mgb9gqv.fsf@nicolasgoaziou.fr>
References: <CA+iiQwTLDwpR-ypFitnpe7kKy8Kc0gdx1sixjRn39Vcuzzruxg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48108)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mail@nicolasgoaziou.fr>) id 1a1w2J-0003BR-4v
	for emacs-orgmode@gnu.org; Thu, 26 Nov 2015 07:52:31 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mail@nicolasgoaziou.fr>) id 1a1w2I-0004Un-3t
	for emacs-orgmode@gnu.org; Thu, 26 Nov 2015 07:52:31 -0500
Received: from relay3-d.mail.gandi.net ([2001:4b98:c:538::195]:40596)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mail@nicolasgoaziou.fr>) id 1a1w2H-0004Uh-Th
	for emacs-orgmode@gnu.org; Thu, 26 Nov 2015 07:52:30 -0500
In-Reply-To: <CA+iiQwTLDwpR-ypFitnpe7kKy8Kc0gdx1sixjRn39Vcuzzruxg@mail.gmail.com>
	(Thomas Preindl's message of "Sat, 21 Nov 2015 22:06:16 +0000")
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
To: Thomas Preindl <thomas.preindl@gmail.com>
Cc: emacs-orgmode@gnu.org

Hello,

Thomas Preindl <thomas.preindl@gmail.com> writes:

> setting up my capture templates to work with a new Chrome extension I
> noticed that when i mark some text containing %-escapes inserted with the
> '%i' in the template the %-escape was
> evaluated.
>
> For example, marking %(print (buffer-name)) will be replaced with
> "*Capture*".
>
> I am now wondering if this is intended or not and if this could be
> used as a kind of exploit to run code if someone captures code
> from a website.

Judging from `org-capture-fill-template', this is a feature. Worse,
%(...) placeholders, the most dangerous ones, are always expanded last.

I guess the intent is to fill the Sexp with previous placeholders and
then eval it for a proper result (see, e.g., `org-capture-template's
docstring).

One solution would be to expand recursively Sexp placeholders at the
beginning of `org-capture-fill-template', right after expanding
properties placeholders (i.e., %:property), so as to limit the problem.

We could also remove recursivity for placeholders altogether. It is
buggy anyway (e.g., if a property placeholder introduces another
placeholder, the latter is not expanded).

Question to the ML: is there anyone relying on placeholder recursion?


Regards,

-- 
Nicolas Goaziou