From: Steven Allen <steven@stebalien.com>
To: Suhail Singh <suhailsingh247@gmail.com>
Cc: Suhail Singh <suhailsingh247@gmail.com>,
Ihor Radchenko <yantar92@posteo.net>,
emacs-orgmode@gnu.org, Bastien <bzg@gnu.org>
Subject: Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec
Date: Fri, 28 Jun 2024 10:01:22 -0700 [thread overview]
Message-ID: <87msn5ovbx.fsf@stebalien.com> (raw)
In-Reply-To: <874j9d3tjp.fsf@gmail.com>
Suhail Singh <suhailsingh247@gmail.com> writes:
> Steven Allen <steven@stebalien.com> writes:
>
>> 1. While this feature no longer invokes completely arbitrary code, it
>> still allows an attacker to call any function marked as "pure" which
>> is a pretty large attack surface.
>
> I am struggling to assess this, because it's not clear to me what the
> threat model is. Could you please elaborate? How are the attacker and
> potential victim interacting; what is the attack vector(s); who are the
> threat agents and what is their goal that we are trying to guard
> against, etc?
Scenario: Attacker sends an email containing an inline org-mode part with a
malicious link abbreviation.
The concern is that, e.g., there may b a function _marked_ as pure
that's not actually pure, leaks some information, and/or has a security
vulnerability (e.g., a C function exposed to lisp that's marked as pure
but internally has, e.g., a buffer overflow).
Of course, the actual attack hypothetical. The question being asked here
is: is the %(..) specifier in link abbreviations useful enough to warent
the potential risks.
>> You can, of course, write that function; but then you might as well
>> use org-link-abbrev-alist instead of defining a local #+LINK.
>
> Perhaps I misunderstood, I thought the thing being polled was whether or
> not to allow org-link-abbrev-alist to have REPLACE (per its docstring)
> be a function. I.e., if %(my-function) is removed, so too would the
> ability to have a function in the REPLACE position in
> org-link-abbrev-alist. Did I misunderstand?
The question is whether or not %(function) placeholders should be
allowed in #+LINK: lines. It doesn't actually say anything about
allowing them in the global org-link-abbrev-alist. But to be explicit,
there are three options:
1. Allow them in both #+LINK: lines and the global
org-link-abbrev-alist.
2. Allow them in org-link-abbrev-alist only.
3. Remove them entirely.
next prev parent reply other threads:[~2024-06-28 17:02 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-22 16:10 [ANN] Emergency bugfix release: Org mode 9.7.5 Ihor Radchenko
2024-06-22 17:49 ` Ihor Radchenko
2024-06-22 23:55 ` Greg Troxel
2024-06-23 1:58 ` Steven Allen
2024-06-22 17:59 ` emacs-orgmode
2024-06-22 19:15 ` Ihor Radchenko
2024-06-24 9:09 ` Assigned: CVE-2024-39331 (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko
2024-06-24 8:08 ` [ANN] Emergency bugfix release: Org mode 9.7.5 Bastien Guerry
2024-06-28 15:09 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko
2024-06-28 15:51 ` [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec Suhail Singh
2024-06-28 16:20 ` Steven Allen
2024-06-28 16:45 ` Suhail Singh
2024-06-28 16:55 ` Ihor Radchenko
2024-06-28 17:34 ` Suhail Singh
2024-06-28 17:01 ` Steven Allen [this message]
2024-06-28 17:55 ` Suhail Singh
2024-06-28 18:16 ` Steven Allen
2024-06-28 15:23 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko
2024-06-28 15:52 ` Steven Allen
2024-06-28 15:54 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs Suhail Singh
2024-07-29 18:42 ` [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) Ihor Radchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87msn5ovbx.fsf@stebalien.com \
--to=steven@stebalien.com \
--cc=bzg@gnu.org \
--cc=emacs-orgmode@gnu.org \
--cc=suhailsingh247@gmail.com \
--cc=yantar92@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).