emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
From: Jean Louis <bugs@gnu.support>
To: Max Nikulin <manikulin@gmail.com>
Cc: emacs-orgmode@gnu.org
Subject: Re: [BUG][Security] begin_src :var evaluated before the prompt to confirm execution
Date: Thu, 27 Oct 2022 07:22:12 +0300	[thread overview]
Message-ID: <Y1oHdF+kJFTBMU6i@protected.localdomain> (raw)
In-Reply-To: <tjct9e$179u$1@ciao.gmane.io>

* Max Nikulin <manikulin@gmail.com> [2022-10-27 06:21]:
> Expected result:
> No code from the Org buffer and linked files is executed prior to
> confirmation from the user.

Should that be or is it a general policy for Org mode?

> Emacs-26.3, Org version is current main HEAD:
> 
> 6bbd08f5a 2022-10-26 15:15:42 +0800 Ihor Radchenko:
> org-datetree-insert-line: Fix blank line insertion
> 
> I consider such issues as a reason why it is bad idea to use Emacs as a
> handler for Org files downloaded from web. 

I am lost here. Should people then use Vim as handler for Org files? 👀

In general, browsers use text/html and other content types they
consider safe, while they let to users decide how to handle various
content types.

The core of the problem is that MIME type such as text/x-org shall be
text and nothing else.

It is up to Org developers to understand MIME types and content types.

It is IMHO obligatory for Org developers NOT to advise people using
incorrect MIME type "text/x-org" -- because Org file by default is not
just text, it is combination of application processing data and text.

Here some references:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type
https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types
https://datatracker.ietf.org/doc/html/rfc6838#section-4.2.5

Now what we have at hand is not official MIME type: "text/x-org" which
is by default opened by Emacs text editor, and Emacs does not treat it
exclusively as text, but as combination of application and text.

And that is wrong.

Now is up to developers to understand that combined condition and to
help Emacs to get two distinct Org treatments:

- Org mode as MIME type (Content Type) "text/x-org" which NEVER
  executes any code, but treats Org mode exclusively as text; by
  teaching Emacs not to run or process code in such Org files with
  such content type;

between the condition:

- Org mode as MIME type "application/x-org" which has inside of Org file
  executable functions which Emacs would execute by opening it;

One can provide regular expressions to tools like `file' to recognize
if the Org file is "application/x-org" or just "text/x-org" (remove x-
when MIME type becomes official).

For reference, please see:
https://datatracker.ietf.org/doc/html/rfc6838#section-4.2.5

Or otherwise -- if the above job cannot be done, then please stop
advertising the content type "text/x-org" -- because Org is not text
in the context of RFC6838:
https://datatracker.ietf.org/doc/html/rfc6838

> Such files should be inspected in some viewer unable to execute
> embedded code at first. A strong reason should be necessary to call
> Emacs for a file from non-trusted source.

See above. It is up to Org developers to decide if Org file is
"application" in MIME sense, or if they wish to keep it truly "text"
in MIME sense or if they wish to make different mode for viewing Org
files and allowing Org files to be application

> To be honest, this is the only real issue I have noticed since
> people on this list tried to convince me 2 years ago that Org is
> quite safe in respect to unsolicited execution of embedded code.

I hope that people will understand that Org is "application" and not
just "plain text" as advertised.

And thanks for pointing it out as it helps in resolving confusions.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/


  reply	other threads:[~2022-10-27  4:24 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-27  3:18 [BUG][Security] begin_src :var evaluated before the prompt to confirm execution Max Nikulin
2022-10-27  4:22 ` Jean Louis [this message]
2022-10-27  4:46   ` Max Nikulin
2022-10-28  4:33     ` Ihor Radchenko
2022-10-28  3:19   ` Ihor Radchenko
2022-10-28  4:11     ` Max Nikulin
2022-10-28  7:30     ` Jean Louis
2022-10-28  3:15 ` [PATCH] " Ihor Radchenko
2022-10-28 17:12   ` Max Nikulin
2022-10-29  3:19     ` Ihor Radchenko
2022-11-10  5:55   ` Ihor Radchenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y1oHdF+kJFTBMU6i@protected.localdomain \
    --to=bugs@gnu.support \
    --cc=emacs-orgmode@gnu.org \
    --cc=manikulin@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).