From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id uFM1Cu4HWmMosQAAbAwnHQ (envelope-from ) for ; Thu, 27 Oct 2022 06:24:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id OG1WCe4HWmO26QAAG6o9tA (envelope-from ) for ; Thu, 27 Oct 2022 06:24:14 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 04A32209B1 for ; Thu, 27 Oct 2022 06:24:13 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1onuQH-0002tH-MS; Thu, 27 Oct 2022 00:23:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onuQF-0002c2-5i for emacs-orgmode@gnu.org; Thu, 27 Oct 2022 00:23:15 -0400 Received: from stw1.rcdrun.com ([217.170.207.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onuQD-0006RR-96 for emacs-orgmode@gnu.org; Thu, 27 Oct 2022 00:23:14 -0400 Received: from localhost ([::ffff:102.82.225.124]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000081D92.00000000635A07AD.00006D5C; Wed, 26 Oct 2022 21:23:08 -0700 Date: Thu, 27 Oct 2022 07:22:12 +0300 From: Jean Louis To: Max Nikulin Cc: emacs-orgmode@gnu.org Subject: Re: [BUG][Security] begin_src :var evaluated before the prompt to confirm execution Message-ID: Mail-Followup-To: Max Nikulin , emacs-orgmode@gnu.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/2.2.7+37 (a90f69b) (2022-09-02) Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Emacs-orgmode" Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1666844653; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=eUMjjgsrru+MG3wLQTLsGHdQ50druzd0zLghD0bHMhA=; b=UkYCDHVlpmYn2U48CWeU/hiUR8wi2psEPn+fI0uqGqTo9MA39+GMusLtL93xdb4VIImdu1 /cK9aATEyxqFNc0+57wtJ7XaWQpZC3zeAB1VlpeworlOYBqzs1qrS9O2XgqzbxnYcm7haK s7Cw52/tUdqFLhyKNARQ/Zzly42IgkXvYd5mZvOrgzq3x4VW1fYSR3fHGfU/M3D6vIGQ/L GaZW3TXQTtvfEyT6XAEZ+Ux5zWHdDtC+YvDiIwd+02BDeksbMO4PLsiboW24MWGD1KISpL M6yHMwSyXV2w3cGa6q0mVC107AlRoytJ8cGAwwW6NsI/NYIwHq/ixu68RV5rnQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1666844653; a=rsa-sha256; cv=none; b=iEm2Df5Q339PJ5tnAuQYR27WANCJkAluekCb9BJIKcBxp/EUcs/RMwwV3tFP7gL+itJfWM QGb2uA1N4uaggklS+TQiYwpC9IFPWjMYyWSJWCvA9MimLxKlHuYYPqgPoj5Ka9IdOI2p/o EEkNPBnYvpEkuMDjeHcfOomrUIIduO97m2Q8zF1g59LbsM9dI7oXIWBGVZ5XviBm6LenFR dCUnFPbGwclGfvG08Y9/M+2KZjnVdOoVZtqQNunTMqYxF/Ld6JSUTCRXGTbpDJQaUrmM+R dBgp/UI6j8IF2D1gW6GkXhntFM0KhgzoNRvSMM+2I0Dp0unQijDh9daIZuznqA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.22 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 04A32209B1 X-Spam-Score: -1.22 X-Migadu-Scanner: scn1.migadu.com X-TUID: /KtfztFv8b4N * Max Nikulin [2022-10-27 06:21]: > Expected result: > No code from the Org buffer and linked files is executed prior to > confirmation from the user. Should that be or is it a general policy for Org mode? > Emacs-26.3, Org version is current main HEAD: > > 6bbd08f5a 2022-10-26 15:15:42 +0800 Ihor Radchenko: > org-datetree-insert-line: Fix blank line insertion > > I consider such issues as a reason why it is bad idea to use Emacs as a > handler for Org files downloaded from web. I am lost here. Should people then use Vim as handler for Org files? 👀 In general, browsers use text/html and other content types they consider safe, while they let to users decide how to handle various content types. The core of the problem is that MIME type such as text/x-org shall be text and nothing else. It is up to Org developers to understand MIME types and content types. It is IMHO obligatory for Org developers NOT to advise people using incorrect MIME type "text/x-org" -- because Org file by default is not just text, it is combination of application processing data and text. Here some references: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types https://datatracker.ietf.org/doc/html/rfc6838#section-4.2.5 Now what we have at hand is not official MIME type: "text/x-org" which is by default opened by Emacs text editor, and Emacs does not treat it exclusively as text, but as combination of application and text. And that is wrong. Now is up to developers to understand that combined condition and to help Emacs to get two distinct Org treatments: - Org mode as MIME type (Content Type) "text/x-org" which NEVER executes any code, but treats Org mode exclusively as text; by teaching Emacs not to run or process code in such Org files with such content type; between the condition: - Org mode as MIME type "application/x-org" which has inside of Org file executable functions which Emacs would execute by opening it; One can provide regular expressions to tools like `file' to recognize if the Org file is "application/x-org" or just "text/x-org" (remove x- when MIME type becomes official). For reference, please see: https://datatracker.ietf.org/doc/html/rfc6838#section-4.2.5 Or otherwise -- if the above job cannot be done, then please stop advertising the content type "text/x-org" -- because Org is not text in the context of RFC6838: https://datatracker.ietf.org/doc/html/rfc6838 > Such files should be inspected in some viewer unable to execute > embedded code at first. A strong reason should be necessary to call > Emacs for a file from non-trusted source. See above. It is up to Org developers to decide if Org file is "application" in MIME sense, or if they wish to keep it truly "text" in MIME sense or if they wish to make different mode for viewing Org files and allowing Org files to be application > To be honest, this is the only real issue I have noticed since > people on this list tried to convince me 2 years ago that Org is > quite safe in respect to unsolicited execution of embedded code. I hope that people will understand that Org is "application" and not just "plain text" as advertised. And thanks for pointing it out as it helps in resolving confusions. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/