From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id gIlVD0qUrmDCDAEAgWs5BA (envelope-from ) for ; Wed, 26 May 2021 20:32:42 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OM8QC0qUrmCFRgAAB5/wlQ (envelope-from ) for ; Wed, 26 May 2021 18:32:42 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8AE61E9F7 for ; Wed, 26 May 2021 20:32:41 +0200 (CEST) Received: from localhost ([::1]:60652 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llyKd-0000aX-1s for larch@yhetil.org; Wed, 26 May 2021 14:32:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55588) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llxq3-00067l-T1; Wed, 26 May 2021 14:01:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:38325) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1llxq2-00005b-MU; Wed, 26 May 2021 14:01:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1llxq2-0006S2-LM; Wed, 26 May 2021 14:01:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48676: Arbitrary code execution in Org export macros Resent-From: Tom Gillespie Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Wed, 26 May 2021 18:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48676 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security To: Timothy X-Debbugs-Original-Cc: Glenn Morris , 48676@debbugs.gnu.org, emacs-orgmode Received: via spool by 48676-submit@debbugs.gnu.org id=B48676.162205202922627 (code B ref 48676); Wed, 26 May 2021 18:01:02 +0000 Received: (at 48676) by debbugs.gnu.org; 26 May 2021 18:00:29 +0000 Received: from localhost ([127.0.0.1]:49867 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llxpU-0005sW-RR for submit@debbugs.gnu.org; Wed, 26 May 2021 14:00:29 -0400 Received: from mail-wm1-f53.google.com ([209.85.128.53]:52868) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llxpS-0005lR-VM for 48676@debbugs.gnu.org; Wed, 26 May 2021 14:00:27 -0400 Received: by mail-wm1-f53.google.com with SMTP id z130so1235014wmg.2 for <48676@debbugs.gnu.org>; Wed, 26 May 2021 11:00:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=; b=DpZi9o6PMlY3HAdV0Vr4rGXGa350OeXj9aGog2m/XpuOxXGHMOEHGBT8ms9zA+rgG9 ogNoeBlePVUs+8wZ7ha4pFbzLAgztF9CTdYNffSdBRghqDKoZeimTXd0BxYxwJZ67aVv pq9dADxPeeDLE7B+3rdRAFhkBVqpmCkcNZ4MKvGx+aaYQzklmNa7OShoJm+wpCyqqg+r Lj/8dNkbbKcpxaryy0+Yszv5hLQZtt46j6/GeufwSMK69ZrZ24/YxLL8gJDE4RMeOWcj Ewx/Hjzyif/72iv8ZrR8INujDAU+C6KQ+Eq5e5HZU1wLwtFy3coEbsgYx5PHc5VUk7OO 5TaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=; b=T8JtaJZwD8NXv5ONi+v/dQjXfJzL8Z6Yw63+qwMzKYLTboaMmY+W4NjQbhGmCU/oeF pV+Xi6xCUxe1lVu4qjgD42gi/sWXzUkyqgTewoO0B+qdwzYZ2lTw1s/KCcJX3+3njNyW fjVbOiA2yoSJZ9vaz90/aB1gF3TZx4ubx5P+8OpprTga71s4TtOCFkUyInM8KXCv1huq 7+klCKAa3xOIBbaS0P4kIITsZMqt2AjB1+jNT6MrU+daY5RJDgiaj8FZyKIQ3uaNYAih ZI5cmt0x7MJ5GfUaeUWYZFUbIRFdlZ/4I+6eHbYOPLCM513AQJe8DBAxcZmSCsbSz75a x0WQ== X-Gm-Message-State: AOAM530Xfupfkf+Kcuu25M+TxMxv3/FJl7Jqa4vUiRkKppOjCNcCnc4w PUFlWyUJJPgCe1GkGzyK3vhvyn/V3wC1tQ0ffhw= X-Google-Smtp-Source: ABdhPJwfrGdSt7zLEoxZtoWLSPtmVBaY71Y9zc1JFJbi5QqDWgslW0w4LbaKg3Z1Wlju1fGSS9x7QhDmyH45CSTZ9m0= X-Received: by 2002:a1c:c911:: with SMTP id f17mr30720631wmb.45.1622052020840; Wed, 26 May 2021 11:00:20 -0700 (PDT) MIME-Version: 1.0 References: <2nk0nl7asb.fsf@fencepost.gnu.org> <87mtsho240.fsf@gmail.com> In-Reply-To: <87mtsho240.fsf@gmail.com> From: Tom Gillespie Date: Wed, 26 May 2021 11:00:09 -0700 Message-ID: Content-Type: text/plain; charset="UTF-8" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: emacs-orgmode@gnu.org List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: rgm@gnu.org, 48676@debbugs.gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1622053961; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=; b=DCI9j2ZpmDNjJauAuF3RBuPMYK4fbSLfet5FBik6Fz+M2w9qKAii/DhJT6+bXxd9bIJR7w BGk6KyOhAnkAUbYWptbhpJwaGgTYlO2TsPYsFSdfjpYMiZpMYkuZ9iw5doqtNoNrCDJ1zJ 5ioUNkOUquPZuUJEqcYOxxIP3pEwQgQA2LHdVwNLjBv7Rt1hLwKxrihv5WyB8R+o2KQsSX +LQ/ipM295lZl5rXMLBt94RQ5mNJqh3RwnhxZjix8P3a8wkZypvxkkocL9wmsdiXe4RxCi fYWnnDWLqlMLuJV0bS4495D008ShtwIctEefKwUERHLoi9FYAgJwmTknWgQugQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622053961; a=rsa-sha256; cv=none; b=OiouRipiSwafpKcK8TKnVZnjqlJThdVV4egFJxWqgcCsX0H1Ye/UNeEdGyDzZyyKJT57vt 3Up4vHZ9ohxoNdH/wovjmsvJbHnxJGXkSCWfyd7WCbGPrHikdltl+F4NZSwZZm1GBEHM4U 8BSrTu5M3bSgPoawe23aPICyrAc8u1bwG3Xo0eis9MJlPdslbtLeKWCZi+xQv7+mFBMBG0 qgAZ989rLNiFe27C4wKtLYgeOytly1oYaY4oKrcmPhMJxu/CjkibXOR7Mb7VexX3jzeTSs TYJQT4TZEUvb3M1oTjWa2wqzXj0f6N1FTD0Cfj0zJIB6nFMcAkYDQSD3Blnfvw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=DpZi9o6P; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Spam-Score: -1.33 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=DpZi9o6P; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Migadu-Queue-Id: 8AE61E9F7 X-Spam-Score: -1.33 X-Migadu-Scanner: scn0.migadu.com X-TUID: 8ILtb0+5tX/6 Hi Glenn, The definition for local variables doesn't cover things like org macros, though the spirit of the policy is something worth keeping in mind. Running M-x org-export-dispatch and hitting two keys means that the user has to do something to trigger code execution, much like they would have to intentionally accept certain risky local variables. That said, the fact that many org operations can run arbitrary code is definitely something that needs clearer documentation. It might make sense to add a setting to detect closures that appear in org files to ask for permission before running, but it likely should not be on by default. For a fairly extensive discussion of code execution in org see this thread from Nov 2020. https://orgmode.org/list/robi94$ma$1@ciao.gmane.io/#t Best, Tom