From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id +MwNI9bUrmDrDgAAgWs5BA (envelope-from ) for ; Thu, 27 May 2021 01:08:06 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QGiiHtbUrmCATwAAbx9fmQ (envelope-from ) for ; Wed, 26 May 2021 23:08:06 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DFDEA12B93 for ; Thu, 27 May 2021 01:08:05 +0200 (CEST) Received: from localhost ([::1]:35970 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lm2d9-0005YN-SN for larch@yhetil.org; Wed, 26 May 2021 19:08:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55908) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lm2cn-0005YE-Do for emacs-orgmode@gnu.org; Wed, 26 May 2021 19:07:41 -0400 Received: from mail-pl1-x62b.google.com ([2607:f8b0:4864:20::62b]:41520) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lm2cl-000633-SY for emacs-orgmode@gnu.org; Wed, 26 May 2021 19:07:41 -0400 Received: by mail-pl1-x62b.google.com with SMTP id z4so1374229plg.8 for ; Wed, 26 May 2021 16:07:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:subject:date:in-reply-to:message-id :mime-version; bh=xq/xQdCfE4uV5aRa70u61oOdmZRegFfZalcFLF01gOg=; b=EnUbFE3zO36luE+2ikGfzd2KThHpM396cJMelDRbYQgKlezjljFqbX1c3wotd/4iku Xo28t75mndSvNMvCGFdoiI6IYyS74cEIr+AFkphusVTPDRQTW3BsqE2l0G1SqNMbQIyq pnCHa1/HkyXZTrWqSMho2mMw/vKjNapUamj3Xfg4kCU8xkbb/qUAvSiuK6Ufwb80DVo7 ZF226Pvk3dySKNtnLL0diURYX1RhOHxuv3eC9TkiJTeve6QST1cMAArbSS0i3T5xOSca 0uyntlgIF6q5iKyfSHjSc744vqy9snSB7xpnSK7c0tAY8knU0l53uAvcxaDvfvv1dKiP BV4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:subject:date :in-reply-to:message-id:mime-version; bh=xq/xQdCfE4uV5aRa70u61oOdmZRegFfZalcFLF01gOg=; b=XFUay871eEIk7WY908GOTKmdtFoc/tjuG4iS1bgpweH82KvBku5Bww24tBZqX6LV1o WXHZFKaASkQ6EmwrMf5vWHyF/mcmDbvHHUilgUPvLe8ILfMSIYJtcOpR9hbQhRwaMZei WQff3rTB38bI7HovUmhwuDarRfYgooyMPPJABrL8t3rP59B8srmcs48g0mtb8MSDGlsq 35brqIKEV07qSLP80Ll4ApRIV0FBd9CmDmNSY+CMMpUN426C0WcK367XRq+xvPrVdY1m 9E6Ce9X5iOUTizuXxa7Z7I+xkFn6IMwCr1RAAIEDl7I42947yCEjqb0KMOplRYIm0BrX Y9Ew== X-Gm-Message-State: AOAM532Pvura8Z5XOkmTZSo2tAwIcb+pbOpqFvIsWprVR/kwDy3f+BBF Z6fcJvjE+twEeXFaOm2yIUwa+k63ens= X-Google-Smtp-Source: ABdhPJwCg86hY0MWPTZtA4KbdsTAE/iGNjE28vhqRaNO+H1a8MA9SuYD4qrvd9NId/12HMuwoXGR/A== X-Received: by 2002:a17:90a:ea10:: with SMTP id w16mr573698pjy.46.1622070457616; Wed, 26 May 2021 16:07:37 -0700 (PDT) Received: from tim-desktop (106-69-64-54.dyn.iinet.net.au. [106.69.64.54]) by smtp.gmail.com with ESMTPSA id v11sm230420pfm.143.2021.05.26.16.07.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 May 2021 16:07:36 -0700 (PDT) References: <2nk0nl7asb.fsf@fencepost.gnu.org> User-agent: mu4e 1.5.13; emacs 27.2.50 From: Tim Cross To: emacs-orgmode@gnu.org Subject: Re: bug#48676: Arbitrary code execution in Org export macros Date: Thu, 27 May 2021 09:01:33 +1000 In-reply-to: <2nk0nl7asb.fsf@fencepost.gnu.org> Message-ID: <875yz5nlfu.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::62b; envelope-from=theophilusx@gmail.com; helo=mail-pl1-x62b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1622070486; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=xq/xQdCfE4uV5aRa70u61oOdmZRegFfZalcFLF01gOg=; b=CE3wYDjVi/TA5WLHU3OsK9drCFVWmg9v72AEHSPBFbp1DuN8urEC97DK9u82MvZoaN2/7P 8Ygz+l5R8T8hD504yXGtB8Q26P4lugbFDyLsC758hV2lUSfqwGFelSPqw3M/ffkNVSIVEH /rjUySEdAHTEw+1F7N4E/7H0Qc3UVaSSAdIFFOSb/FtHdqYfH62QGN9YBPWhaIheSyEReW Pc0KbDJ6l16Yz3gA0Gen1FZv5BtrsFa6PAZ37MdvokNcL1qiM/+x6gbxu+eMy+DVQMdS+1 gAi8wPrQNEPnAdzvgKabtDW+cN5TKOlhGcDEDIMzKqjtng4xRZ9sBF3glNmn7Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622070486; a=rsa-sha256; cv=none; b=OQkep3U1A/T6ugBspEJ+TuwBusP7lirD0DYzlMS0PWHLJLY+EStUklhT4YskVfWfqKj0q8 36QIilChmqnVxYn2MQdHKnCdBYZvjnSJuai0CrZX6jPvZLYTJWcQI9d0o4bPnnx6UJBDUY ca3gN+FHJ6Ynh15QsZkopod1FevVd1JYk2Ae8KIxDDY3egNCQyE3i0JhDPz7usZ+YyEG8/ Wb2laH/Hv/40d4pCzVocTnUsC5lsbh5Pqk+zpFQe734fQXcltngtyi7/Z2dBQsaVCE1yKp zB6SbSTZ1o/fXEJkGQF22mmtNeeq8KpjhmKwP/gR8zpnt83OId2eQwT4iCViLw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=EnUbFE3z; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Spam-Score: -1.63 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=EnUbFE3z; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Queue-Id: DFDEA12B93 X-Spam-Score: -1.63 X-Migadu-Scanner: scn0.migadu.com X-TUID: 34oQSiFeiObm Glenn Morris writes: > Package: emacs,org-mode > Version: 28.0.50 > Severity: important > Tags: security > > emacs -Q hello.org, where hello.org contains: > > #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) > Hello. {{{hello}}} > > Then: > M-x org-export-dispatch > t A > > -> now /tmp/HELLO exist, with no prompting. > > This seems contrary to normal Emacs practice for risky local variables, > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). I'm not quite sure if this is the same as the concern with risky local file variables. The big difference is that with the local file variables, without the default behaviour of asking for permission to evaluate, the code would be evaluated simply by loading the file. With the org file, nothing is evaluated when you load the file. The user has to actively request for evaluation (via export or tangling). I would agree the org manual should make it very clear that exporting and tangling can result in macro evaluation, which could involve evaluation of arbitrary code and the risks that can introduce. -- Tim Cross