From mboxrd@z Thu Jan 1 00:00:00 1970 From: Allen Li Subject: Bug: org-attach-directory should be safe [9.1.3 (9.1.3-10-gadfbfd-elpaplus @ /home/ionasal/.emacs.d/elpa/org-plus-contrib-20171127/)] Date: Sun, 3 Dec 2017 15:35:05 -0800 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45992) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eLdmt-0002db-PB for emacs-orgmode@gnu.org; Sun, 03 Dec 2017 18:35:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eLdms-0006TY-UX for emacs-orgmode@gnu.org; Sun, 03 Dec 2017 18:35:07 -0500 Received: from mail-qt0-x236.google.com ([2607:f8b0:400d:c0d::236]:37471) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eLdms-0006Sr-Pr for emacs-orgmode@gnu.org; Sun, 03 Dec 2017 18:35:06 -0500 Received: by mail-qt0-x236.google.com with SMTP id d15so19200982qte.4 for ; Sun, 03 Dec 2017 15:35:06 -0800 (PST) List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Sender: "Emacs-orgmode" To: emacs-orgmode@gnu.org org-attach-directory should be safe to set as a file local or directory local string. This allows the user to set a directory local attachment directory for all Org files in a directory tree recursively. I do not believe there are any security issues to enable arbitrary Org files to set org-attach-directory to a string value as the user would have to explicitly initiate any attach operations. The most dangerous thing I can think of is an Org file setting the attachment directory to the user's home directory and the user running the command to delete all attachments. Note that org-attach already allows setting the attachment directory on a headline basis, this would just allow setting the attachment directory on a file or directory basis. It can be argued that the existing functionality makes it more visible if a malicious Org file sets a dangerous attachment path (a property on the headline vs a file local variable or dir-locals file). org-attach already mentions that deleting all attachments is potentially dangerous and recommends deleting through Dired. Deleting through Dired would make it impossible for a user to not notice that a malicious Org file has set the attachment directory to something undesirable. Emacs : GNU Emacs 25.3.1 (x86_64-pc-linux-gnu, GTK+ Version 3.22.19) of 2017-09-16 Package: Org mode version 9.1.3 (9.1.3-10-gadfbfd-elpaplus @ /home/ionasal/.emacs.d/elpa/org-plus-contrib-20171127/)