From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tom Gillespie Subject: Bug: tangle failure of one block results in failure to set =:tangle-mode= of another [9.3 (9.3-elpaplus @ /home/tom/.emacs.d/elpa/org-plus-contrib-20191203/)] Date: Fri, 6 Dec 2019 22:36:23 -0800 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="0000000000002ef33e059917621e" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:34316) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1idThl-0007za-Mj for emacs-orgmode@gnu.org; Sat, 07 Dec 2019 01:36:39 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1idThk-0000zE-7R for emacs-orgmode@gnu.org; Sat, 07 Dec 2019 01:36:37 -0500 Received: from mail-lf1-x135.google.com ([2a00:1450:4864:20::135]:40315) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1idThj-0000u4-Ry for emacs-orgmode@gnu.org; Sat, 07 Dec 2019 01:36:36 -0500 Received: by mail-lf1-x135.google.com with SMTP id y5so6931548lfy.7 for ; Fri, 06 Dec 2019 22:36:35 -0800 (PST) List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Sender: "Emacs-orgmode" To: emacs-orgmode@gnu.org --0000000000002ef33e059917621e Content-Type: text/plain; charset="UTF-8" Remember to cover the basics, that is, what you expected to happen and what in fact did happen. You don't know how to make a good report? See https://orgmode.org/manual/Feedback.html#Feedback Your bug report will be posted to the Org mailing list. ------------------------------------------------------------------------ * Description =#+HEADER: :tangle= arguments fail after other blocks tangle =#+BEGIN_SRC lang :tangle= arguments fail before other blocks tangle When tangling multiple blocks if a block fails during tangling after some other block has already been tangled, the block that has already been tangled will not have its =:tangle-mode= set. This can result in a =:tangle-mode (identity #o0600)= header argument failing to be applied after a file has been created resulting in a file that is readable by anyone instead of secure. * Affected versions 9.1.9, 9.3 * Observed behavior An error occurs during tangling multiple blocks with =C-c C-v C-t=. Files that are expected to have a mode set (e.g. =#o0755=, or =#o0600=) by a =:tangle-mode= header retain the default mode =#o0644=. It does not matter whether =:tangle-mode= is set on a =#+HEADER:= line or on a =#+BEGIN_SRC= line. * Expected behavior It is not entirely clear what the best way to fix this is. Anything that causes a failure between the time that a file is tangled and tangle mode is set could cause a similar issue. One way to ensure that this cannot happen is the following: 1. Before a block is tangled check for the =:tangle-mode= header 2. If the =:tangle-mode= header exists, touch the file to be tangled DO NOT WRITE THE CONTENTS YET 3. Set the mode specified by the =:tangle-mode= header 4. Now write the contents of the file This will prevent a file from being written =#o0644= by default and possibly left exposed. * Reproduction This is a contrived example. The secret file has to be tangled before the other block fails to tangle. To reproduce the issue I am using a missing folder to cause an error after tangling the secret file but before its =:tangle-mode= has been set. NOTE: _any other failure that can occur after some other block has tangled can cause the same problem_. The examples also attached. #+NAME: org-bug-0-0.org #+BEGIN_EXAMPLE org To reproduce =emacs -q --load org -- org-bug-0-0.org= and then =C-c C-v C-t= #+HEADER: :tangle-mode (identity #o0600) #+BEGIN_SRC bash :eval never :tangle ./some-secret-file.sh export ALL_MY_ENVIRONMENT_VARS=secret #+END_SRC #+HEADER: :tangle ./this-folder-does-not-exist/some-other-file #+BEGIN_SRC bash :eval never echo will fail to tangle after some-secret-file.sh is written echo BUT before its :tangle-mode is set #+END_SRC #+END_EXAMPLE #+NAME: org-bug-0-1.org #+BEGIN_EXAMPLE org To reproduce =emacs -q --load org -- org-bug-0-1.org= and then =C-c C-v C-t= #+BEGIN_SRC bash :eval never :tangle ./some-secret-file-2.sh :tangle-mode (identity #o0600) export ALL_MY_ENVIRONMENT_VARS=secret #+END_SRC #+BEGIN_SRC bash :eval never :tangle ./this-folder-does-not-exist/some-other-file echo will fail to tangle after some-secret-file-2.sh is written echo BUT before its :tangle-mode is set #+END_SRC #+END_EXAMPLE Emacs : GNU Emacs 26.3 (build 1, x86_64-pc-linux-gnu, X toolkit) of 2019-09-27 Package: Org mode version 9.3 (9.3-elpaplus @ /home/tom/.emacs.d/elpa/org-plus-contrib-20191203/) Package: Org mode version 9.1.9 (release_9.1.9-65-g5e4542 @ /usr/share/emacs/26.3/lisp/org/) --0000000000002ef33e059917621e Content-Type: application/vnd.lotus-organizer; name="org-bug-0-0.org" Content-Disposition: attachment; filename="org-bug-0-0.org" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k3v7fqly1 VG8gcmVwcm9kdWNlID1lbWFjcyAtcSAtLWxvYWQgb3JnIC0tIG9yZy1idWctMC0wLm9yZz0gYW5k IHRoZW4gPUMtYyBDLXYgQy10PQojK0hFQURFUjogOnRhbmdsZS1tb2RlIChpZGVudGl0eSAjbzA2 MDApCiMrQkVHSU5fU1JDIGJhc2ggOmV2YWwgbmV2ZXIgOnRhbmdsZSAuL3NvbWUtc2VjcmV0LWZp bGUuc2gKZXhwb3J0IEFMTF9NWV9FTlZJUk9OTUVOVF9WQVJTPXNlY3JldAojK0VORF9TUkMKCiMr SEVBREVSOiA6dGFuZ2xlIC4vdGhpcy1mb2xkZXItZG9lcy1ub3QtZXhpc3Qvc29tZS1vdGhlci1m aWxlCiMrQkVHSU5fU1JDIGJhc2ggOmV2YWwgbmV2ZXIKZWNobyB3aWxsIGZhaWwgdG8gdGFuZ2xl IGFmdGVyIHNvbWUtc2VjcmV0LWZpbGUuc2ggaXMgd3JpdHRlbgplY2hvIEJVVCBiZWZvcmUgaXRz IDp0YW5nbGUtbW9kZSBpcyBzZXQKIytFTkRfU1JDCg== --0000000000002ef33e059917621e Content-Type: application/vnd.lotus-organizer; name="org-bug-0-1.org" Content-Disposition: attachment; filename="org-bug-0-1.org" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k3v7fqln0 VG8gcmVwcm9kdWNlID1lbWFjcyAtcSAtLWxvYWQgb3JnIC0tIG9yZy1idWctMC0xLm9yZz0gYW5k IHRoZW4gPUMtYyBDLXYgQy10PQojK0JFR0lOX1NSQyBiYXNoIDpldmFsIG5ldmVyIDp0YW5nbGUg Li9zb21lLXNlY3JldC1maWxlLTIuc2ggOnRhbmdsZS1tb2RlIChpZGVudGl0eSAjbzA2MDApCmV4 cG9ydCBBTExfTVlfRU5WSVJPTk1FTlRfVkFSUz1zZWNyZXQKIytFTkRfU1JDCgojK0JFR0lOX1NS QyBiYXNoIDpldmFsIG5ldmVyIDp0YW5nbGUgLi90aGlzLWZvbGRlci1kb2VzLW5vdC1leGlzdC9z b21lLW90aGVyLWZpbGUKZWNobyB3aWxsIGZhaWwgdG8gdGFuZ2xlIGFmdGVyIHNvbWUtc2VjcmV0 LWZpbGUtMi5zaCBpcyB3cml0dGVuCmVjaG8gQlVUIGJlZm9yZSBpdHMgOnRhbmdsZS1tb2RlIGlz IHNldAojK0VORF9TUkMK --0000000000002ef33e059917621e--