From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nicolas Goaziou Subject: Re: Bug: org-attach-directory should be safe [9.1.3 (9.1.3-10-gadfbfd-elpaplus @ /home/ionasal/.emacs.d/elpa/org-plus-contrib-20171127/)] Date: Mon, 04 Dec 2017 14:56:33 +0100 Message-ID: <87fu8q8ulq.fsf@nicolasgoaziou.fr> References: Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49931) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eLrEe-0005HC-74 for emacs-orgmode@gnu.org; Mon, 04 Dec 2017 08:56:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eLrEa-0003uW-IE for emacs-orgmode@gnu.org; Mon, 04 Dec 2017 08:56:40 -0500 Received: from relay4-d.mail.gandi.net ([2001:4b98:c:538::196]:47005) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1eLrEa-0003uE-Bj for emacs-orgmode@gnu.org; Mon, 04 Dec 2017 08:56:36 -0500 In-Reply-To: (Allen Li's message of "Sun, 3 Dec 2017 15:35:05 -0800") List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Sender: "Emacs-orgmode" To: Allen Li Cc: emacs-orgmode@gnu.org Hello, Allen Li writes: > org-attach-directory should be safe to set as a file local or > directory local string. > > This allows the user to set a directory local attachment directory for > all Org files in a directory tree recursively. > > I do not believe there are any security issues to enable arbitrary Org > files to set org-attach-directory to a string value as the user would > have to explicitly initiate any attach operations. The most dangerous > thing I can think of is an Org file setting the attachment directory > to the user's home directory and the user running the command to > delete all attachments. Fair enough. I added a :safe keyword to the defcustom. Regards, -- Nicolas Goaziou