From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id MbbLCeD6s2NS+AAAbAwnHQ
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 03 Jan 2023 10:52:32 +0100
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id 8PgdCOD6s2OAywAAG6o9tA
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 03 Jan 2023 10:52:32 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id C9B861D107
	for <larch@yhetil.org>; Tue,  3 Jan 2023 10:52:31 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces@gnu.org>)
	id 1pCdxy-00034m-Dn; Tue, 03 Jan 2023 04:52:18 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@posteo.net>)
 id 1pCdxl-00031C-7L
 for emacs-orgmode@gnu.org; Tue, 03 Jan 2023 04:52:06 -0500
Received: from mout01.posteo.de ([185.67.36.65])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@posteo.net>)
 id 1pCdxj-0000in-2W
 for emacs-orgmode@gnu.org; Tue, 03 Jan 2023 04:52:04 -0500
Received: from submission (posteo.de [185.67.36.169]) 
 by mout01.posteo.de (Postfix) with ESMTPS id 1404C24019A
 for <emacs-orgmode@gnu.org>; Tue,  3 Jan 2023 10:51:58 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1672739519; bh=+s17qhJHHFzz1FbPpZo5W+/IdnKo1MbCk8aweIjzUys=;
 h=From:To:Cc:Subject:Date:From;
 b=lUwHeQQ1ValIj8Thfm+ekytetjTZ0EFK11x+y7oywxp6qlt/MN+lz87UJON49zUes
 CTl2vCUfyM/i0s8fatoj+YYGOG/M6Wx+Ki2QD/ifhAd9ByUJdV4dNW2CsWGazYKj7m
 l+U6Ah6VWDJsdNSB4//cKW9fJdBiPOCBqxEIftvoMUjXD/QJt1f/FF1rH77bNgDUr1
 NEaKptFyCAT29xG1h5AVeSi7pm2rjxebR5Few3fa5XktF64wuLcOTXZaHND/vR1LGi
 cPTtaD6+KPIfNEOPJQD6TA276wLk+lOUYsQCVlxkWHksexzTO/e6lDGZEE9+FRd1nS
 DYAk4sLSQNmuA==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4NmSgc2Q0sz6tnv;
 Tue,  3 Jan 2023 10:51:56 +0100 (CET)
From: Ihor Radchenko <yantar92@posteo.net>
To: Greg Minshall <minshall@umich.edu>
Cc: Tom Gillespie <tgbugs@gmail.com>, Bastien <bzg@gnu.org>, Kyle Meyer
 <kyle@kyleam.com>, emacs-orgmode@gnu.org
Subject: [SECURITY] Tangling can overwrite arbitrary tangling targets,
 including important user files (was: [SECURITY] Arbitrary code evaluation
 security in Org)
In-Reply-To: <753836.1672657156@archlinux>
References: <CA+G3_PNmnJ-ehnYOBkaOOsyNjeb-OJyoy+sg_g5v3AZVGiNoXg@mail.gmail.com>
 <tn3h08$1099$1@ciao.gmane.io>
 <CA+G3_PNHe3J+PHzv_L+X1DR66TGc3sW5FxiJC5HqDd57N75P0w@mail.gmail.com>
 <87359ld5ye.fsf@kyleam.com>
 <CA+G3_PPEbiBFvADivF++x_c6s8hKtyTcy3nmBtTMd_OhBDDPyw@mail.gmail.com>
 <874ju0j538.fsf@localhost>
 <CA+G3_PMwyRrjwJp_AGxnV8P7LbqiPkGfLiQY4rziUo-xcjAUaA@mail.gmail.com>
 <87k02fspxa.fsf@localhost> <87edsii4mo.fsf@gnu.org>
 <87h6xetbfn.fsf@localhost> <878rips273.fsf@bzg.fr>
 <CA+G3_PPvTv0u9_zyWRbN+jcqqnthb3KkG5uTDa9HFqBJPgGBag@mail.gmail.com>
 <878rinadlq.fsf@localhost> <87edsd5o89.fsf@localhost>
 <753836.1672657156@archlinux>
Date: Tue, 03 Jan 2023 09:52:26 +0000
Message-ID: <87bkngkkrp.fsf@localhost>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=185.67.36.65; envelope-from=yantar92@posteo.net;
 helo=mout01.posteo.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-orgmode@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1672739551; a=rsa-sha256; cv=none;
	b=gVL0TLWQ4Hi3hQwCa9SeLFDF0gzYlSgbmHAiQgaI+HnB095rtO2St/Up/k3p28VSNMMpug
	omL8g7/igDiQoHMJkho+3Sf9upMVvS0qb7pGgvxa4EdATishdR1zbGVL+IQB+wHfgMJThW
	rrC9oA0WHfeZBgPRjxN+TYtDIwwhGx6yRys55xwGCORLS09C90bQo6kTs60LnQqYVyqySS
	zgQO2Nd4DrSgQ1YmZw3ROozttskRZ357DqAWBbAnNoXzx1Kb4LVSp//teMuQHZiuES/WMZ
	5OcUBiBIIadd9pzOjt7Ur9pMBETz/048Ij2HU25UDZ9vwP8aCDI3KyZKwwxI5A==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=posteo.net header.s=2017 header.b=lUwHeQQ1;
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=posteo.net
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1672739551;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=X2Vt8TxKkpxm4se7gmByOBxXE/gMsmIIKJd7qVEaQzo=;
	b=WhK1vQq7nLp8SAm0kRE0MCHSd49s/4n5HqqTO4mzzj1ojucLHvHAVgtTI7Z29/IuDSjtZz
	7VocAbRtuQZpt0TTiPyRDmKqDCI0gJtDO0i4HacIql+Ddx0Q2ScAsiLFBONZ7YpJJmVmoC
	y9Q1UouwN/2zojpLytm6bXiJdaOm3Hq6nG3zN9X3uMUTbEEfy5q6ZSIfC5M93PxVvxdJUN
	fLAotF6Lof12GOvsA00yJXLGJYctqF1DKPLzbvOjSPFAaLLY8/esb/kdnRUbVSoYw7BaLN
	lnx7kfAkGdzDLoPtAb/vnAVVwkjSkmzCWj1AUjDKZApruwIaDVQN6/gMdq6bsA==
X-Spam-Score: -8.09
X-Migadu-Queue-Id: C9B861D107
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=posteo.net header.s=2017 header.b=lUwHeQQ1;
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=posteo.net
X-Migadu-Scanner: scn0.migadu.com
X-Migadu-Spam-Score: -8.09
X-TUID: DvNN1YvHYBz+

Greg Minshall <minshall@umich.edu> writes:

> one additional item (i don't *think* we discussed this before; apologies
> if i'm forgetting): tangling.  if one is prompted to "merely" tangle ...
> ----
> #+begin_src sh :tangle /var/tmp/foo.org.tangled
>   echo 'hi!'
> #+end_src
> ----
>
> one could imagine more sinister scenarios for destination, content.
>
> i don't really know what, how much, to do.  possibly just an option,
> defaulting to =nil=, allowing tangle to write a file outside the subtree
> that holds the .org file being tangled.

Good point. Though not directly related to code execution.

In this particular case, we might be able to utilize Emacs' file
dialogues. For example, `write-file' can ask about overwriting an
existing file.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>