[PATCH 0/3] Safe local variable declarations

[PATCH 0/3] Safe local variable declarations

[Aaron Ecay]

In
<http://mid.gmane.org/CANtbJLFJ84FixMJr_4BAC=iXrPQoZm44dFxAaK6Z1fBTbrqzdw@mail.gmail.com>,
Klaus-Dieter pointed out that many export variables are not marked as
safe locals, which makes it annoying to use them as file-local
variables, especially in collaborative situations.  Here are 3 patches
that make a start at marking some variables safe, when they are in
fact safe.

With respect to the LaTeX export variables specifically, there are
many string variables that inject LaTeX code into the output
(`org-latex-active-timestamp-format', to give just one example).
Currently the patch takes a conservative approach, not touching these
variables.

LaTeX code can run arbitrary shell commands, *only if* the user passes
a command line flag to latex to explicitly enable that functionality.
I think a decision has to be made about whether to allow these string
variables to be marked as safe.  There are two failsafes (the
default-unsafe nature of these variables and the LaTeX command line
switch); marking the variables as safe would remove one of them.  But
it would also lower the barrier to collaborating on reproducible
documents significantly, I think.

Obviously, if people like this approach the other export backends and
org-babel languages should be gone through and have safe variable
predicates added to them.

Aaron Ecay (3):
  Mark ox-latex variables safe locals under proper conditions
  Mark some org-babel variables as safe locals under proper conditions
  mark o-b-default-header-args:R as a safe local under proper conditions

 lisp/ob-R.el     | 16 ++++++++++++++++
 lisp/ob-core.el  | 31 +++++++++++++++++++++++++++++++
 lisp/ox-latex.el | 18 ++++++++++++------
 3 files changed, 59 insertions(+), 6 deletions(-)

--
1.8.4.1

[PATCH 1/3] Mark ox-latex variables safe locals under proper conditions

[Aaron Ecay]

* lisp/ox-latex.el (org-latex-with-hyperref,
org-latex-default-table-mode, org-latex-tables-booktabs,
org-latex-tables-centered, org-latex-table-caption-above,
org-latex-listings): add safe local variable properties
---
 lisp/ox-latex.el | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/lisp/ox-latex.el b/lisp/ox-latex.el
index b0cc4bb..235d092 100644
--- a/lisp/ox-latex.el
+++ b/lisp/ox-latex.el
@@ -343,7 +343,8 @@ the toc:nil option, not to those generated with #+TOC keyword."
 (defcustom org-latex-with-hyperref t
   "Toggle insertion of \\hypersetup{...} in the preamble."
   :group 'org-export-latex
-  :type 'boolean)
+  :type 'boolean
+  :safe #'booleanp)
 
 ;;;; Headline
 
@@ -488,12 +489,14 @@ When modifying this variable, it may be useful to change
   :type '(choice (const :tag "Table" table)
 		 (const :tag "Matrix" math)
 		 (const :tag "Inline matrix" inline-math)
-		 (const :tag "Verbatim" verbatim)))
+		 (const :tag "Verbatim" verbatim))
+  :safe (lambda (s) (memq s '(table math inline-math verbatim))))
 
 (defcustom org-latex-tables-centered t
   "When non-nil, tables are exported in a center environment."
   :group 'org-export-latex
-  :type 'boolean)
+  :type 'boolean
+  :safe #'booleanp)
 
 (defcustom org-latex-tables-booktabs nil
   "When non-nil, display tables in a formal \"booktabs\" style.
@@ -504,13 +507,15 @@ attributes."
   :group 'org-export-latex
   :version "24.4"
   :package-version '(Org . "8.0")
-  :type 'boolean)
+  :type 'boolean
+  :safe #'booleanp)
 
 (defcustom org-latex-table-caption-above t
   "When non-nil, place caption string at the beginning of the table.
 Otherwise, place it near the end."
   :group 'org-export-latex
-  :type 'boolean)
+  :type 'boolean
+  :safe #'booleanp)
 
 (defcustom org-latex-table-scientific-notation "%s\\,(%s)"
   "Format string to display numbers in scientific notation.
@@ -670,7 +675,8 @@ into previewing problems, please consult
   :type '(choice
 	  (const :tag "Use listings" t)
 	  (const :tag "Use minted" 'minted)
-	  (const :tag "Export verbatim" nil)))
+	  (const :tag "Export verbatim" nil))
+  :safe (lambda (s) (memq s '(t nil minted))))
 
 (defcustom org-latex-listings-langs
   '((emacs-lisp "Lisp") (lisp "Lisp") (clojure "Lisp")
-- 
1.8.4.1

Re: [PATCH 1/3] Mark ox-latex variables safe locals under proper conditions

[Nicolas Goaziou]

Hello,

Aaron Ecay <aaronecay@gmail.com> writes:

> * lisp/ox-latex.el (org-latex-with-hyperref,
> org-latex-default-table-mode, org-latex-tables-booktabs,
> org-latex-tables-centered, org-latex-table-caption-above,
> org-latex-listings): add safe local variable properties

Thanks for the patch. It is interesting.

Out of curiosity, why did you skip other variables (e.g.
org-latex-footnote-separator)?


Regards,

-- 
Nicolas Goaziou

Re: [PATCH 1/3] Mark ox-latex variables safe locals under proper conditions

[Aaron Ecay]

Hi Nicolas,

2013ko urriak 29an, Nicolas Goaziou-ek idatzi zuen:

[...]

> 
> Thanks for the patch. It is interesting.
> 
> Out of curiosity, why did you skip other variables (e.g.
> org-latex-footnote-separator)?

Because these variables insert arbitrary latex code into the export
output, they could be put to nefarious purposes.  If I can trick you
into compiling a latex document that I’ve inserted malicious code into,
AND into passing a particular non-default command line flag to latex,
then I can execute arbitrary shell commands on your machine with your
privileges.

Since this requires user intervention in the form of specifying an
additional command line flag, it could be argued that there is no
security breach in allowing potentially malicious code into an export
file – it will fail to have its desired bad effect without the user
taking further steps to weaken security.*  But it is in some sense a
lessening of security.  I think the community has to decide what is an
acceptable level of risk.

One intermediate option would be to not mark these string-valued variables as
safe by default, but let users opt in to marking them safe with a function
like the following, which users could choose to call in their init file:

(defun org-live-dangerously ()
  (dolist (var '(org-latex-footnote-separator etc...))
    (put var 'safe-local-variable #'stringp)))

Aaron

* But several latex tools, including minted, which org supports, use
this shell command functionality for benign purposes.  So many users are
probably used to turning it on, and perhaps even have configurations
that enable it by default.

-- 
Aaron Ecay

Re: [PATCH 1/3] Mark ox-latex variables safe locals under proper conditions

[Nicolas Goaziou]

Hello,

Aaron Ecay <aaronecay@gmail.com> writes:

> 2013ko urriak 29an, Nicolas Goaziou-ek idatzi zuen:

>> Out of curiosity, why did you skip other variables (e.g.
>> org-latex-footnote-separator)?
>
> Because these variables insert arbitrary latex code into the export
> output, they could be put to nefarious purposes.  If I can trick you
> into compiling a latex document that I’ve inserted malicious code into,
> AND into passing a particular non-default command line flag to latex,
> then I can execute arbitrary shell commands on your machine with your
> privileges.

You are right. In my mind, "safe" meant safe Lisp-wise, not LaTeX-wise.

I applied your patch. Thank you.


Regards,

-- 
Nicolas Goaziou

[PATCH 2/3] Mark some org-babel variables as safe locals under proper conditions

[Aaron Ecay]

* lisp/ob-core.el (org-babel-inline-result-wrap,
org-babel-default-header-args,
org-babel-default-inline-header-args): mark as safe local variables
---
 lisp/ob-core.el | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/lisp/ob-core.el b/lisp/ob-core.el
index 8fafd4b..60666fc 100644
--- a/lisp/ob-core.el
+++ b/lisp/ob-core.el
@@ -158,6 +158,11 @@ See also `org-babel-noweb-wrap-start'."
 This string must include a \"%s\" which will be replaced by the results."
   :group 'org-babel
   :type 'string)
+(put 'org-babel-inline-result-wrap
+     'safe-local-variable
+     (lambda (value)
+       (and (stringp value)
+	    (string-match-p "%s" value))))
 
 (defun org-babel-noweb-wrap (&optional regexp)
   (concat org-babel-noweb-wrap-start
@@ -484,10 +489,14 @@ specific header arguments as well.")
   '((:session . "none") (:results . "replace") (:exports . "code")
     (:cache . "no") (:noweb . "no") (:hlines . "no") (:tangle . "no"))
   "Default arguments to use when evaluating a source block.")
+(put 'org-babel-default-header-args 'safe-local-variable
+     #'org-babel-default-header-args-safe-p)
 
 (defvar org-babel-default-inline-header-args
   '((:session . "none") (:results . "replace") (:exports . "results"))
   "Default arguments to use when evaluating an inline source block.")
+(put 'org-babel-default-inline-header-args 'safe-local-variable
+     #'org-babel-default-header-args-safe-p)
 
 (defvar org-babel-data-names '("tblname" "results" "name"))
 
@@ -2785,6 +2794,28 @@ of `org-babel-temporary-directory'."
 
 (add-hook 'kill-emacs-hook 'org-babel-remove-temporary-directory)
 
+(defun org-babel-one-header-arg-safe-p (pair)
+  (or
+   (memq (car pair) '(:cache :colnames :comments
+			     :exports :epilogue
+			     :hlines :noeval
+			     :noweb :noweb-ref
+			     :noweb-sep :padline
+			     :prologue :rownames
+			     :sep :session :tangle
+			     :wrap))
+   (and (eq (car pair) :eval)
+        (member (cdr pair) '("never" "query")))
+   (and (eq (car pair) :results)
+        (not (string-match "file" (cdr pair))))))
+
+(defun org-babel-default-header-args-safe-p (value)
+  (and (listp value)
+       (and (mapcar (lambda (pair)
+		      (and (consp pair)
+			   (org-babel-one-header-arg-safe-p pair)))
+		    value))))
+
 (provide 'ob-core)
 
 ;; Local variables:
-- 
1.8.4.1

Re: [PATCH 2/3] Mark some org-babel variables as safe locals under proper conditions

[Eric Schulte]

Could you add documentation strings to `org-babel-one-header-arg-safe-p'
and `org-babel-one-header-arg-safe-p'?  Also, would the header argument
list in the latter be better as a defvar which ob-*.el files could
let-bind to add their own additional safe header arguments?

Thanks,

Aaron Ecay <aaronecay@gmail.com> writes:

> * lisp/ob-core.el (org-babel-inline-result-wrap,
> org-babel-default-header-args,
> org-babel-default-inline-header-args): mark as safe local variables
> ---
>  lisp/ob-core.el | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>
> diff --git a/lisp/ob-core.el b/lisp/ob-core.el
> index 8fafd4b..60666fc 100644
> --- a/lisp/ob-core.el
> +++ b/lisp/ob-core.el
> @@ -158,6 +158,11 @@ See also `org-babel-noweb-wrap-start'."
>  This string must include a \"%s\" which will be replaced by the results."
>    :group 'org-babel
>    :type 'string)
> +(put 'org-babel-inline-result-wrap
> +     'safe-local-variable
> +     (lambda (value)
> +       (and (stringp value)
> +	    (string-match-p "%s" value))))
>  
>  (defun org-babel-noweb-wrap (&optional regexp)
>    (concat org-babel-noweb-wrap-start
> @@ -484,10 +489,14 @@ specific header arguments as well.")
>    '((:session . "none") (:results . "replace") (:exports . "code")
>      (:cache . "no") (:noweb . "no") (:hlines . "no") (:tangle . "no"))
>    "Default arguments to use when evaluating a source block.")
> +(put 'org-babel-default-header-args 'safe-local-variable
> +     #'org-babel-default-header-args-safe-p)
>  
>  (defvar org-babel-default-inline-header-args
>    '((:session . "none") (:results . "replace") (:exports . "results"))
>    "Default arguments to use when evaluating an inline source block.")
> +(put 'org-babel-default-inline-header-args 'safe-local-variable
> +     #'org-babel-default-header-args-safe-p)
>  
>  (defvar org-babel-data-names '("tblname" "results" "name"))
>  
> @@ -2785,6 +2794,28 @@ of `org-babel-temporary-directory'."
>  
>  (add-hook 'kill-emacs-hook 'org-babel-remove-temporary-directory)
>  
> +(defun org-babel-one-header-arg-safe-p (pair)
> +  (or
> +   (memq (car pair) '(:cache :colnames :comments
> +			     :exports :epilogue
> +			     :hlines :noeval
> +			     :noweb :noweb-ref
> +			     :noweb-sep :padline
> +			     :prologue :rownames
> +			     :sep :session :tangle
> +			     :wrap))
> +   (and (eq (car pair) :eval)
> +        (member (cdr pair) '("never" "query")))
> +   (and (eq (car pair) :results)
> +        (not (string-match "file" (cdr pair))))))
> +
> +(defun org-babel-default-header-args-safe-p (value)
> +  (and (listp value)
> +       (and (mapcar (lambda (pair)
> +		      (and (consp pair)
> +			   (org-babel-one-header-arg-safe-p pair)))
> +		    value))))
> +
>  (provide 'ob-core)
>  
>  ;; Local variables:

-- 
Eric Schulte
https://cs.unm.edu/~eschulte
PGP: 0x614CA05D

Re: [PATCH 2/3] Mark some org-babel variables as safe locals under proper conditions

[Aaron Ecay]

[-- Attachment #1: Type: text/plain, Size: 322 bytes --]

Hi Eric,

Thanks for the feedback.  You are right that this could be more
extensible.  I’m attaching a new version of patches #2 and 3 to this
email, which should be an improvement on that front.  I also added
docstrings, and a test.

Aaron

PS You were right about org-every vs. mapcar in your other message.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0002-Mark-some-org-babel-variables-as-safe-locals-under-p.patch --]
[-- Type: text/x-diff, Size: 5344 bytes --]

From 1ca6369721eeadded29fc538b996267ff88a38b9 Mon Sep 17 00:00:00 2001
From: Aaron Ecay <aaronecay@gmail.com>
Date: Mon, 28 Oct 2013 15:39:31 -0400
Subject: [PATCH 2/3] Mark some org-babel variables as safe locals under proper
 conditions

* lisp/ob-core.el (org-babel-inline-result-wrap,
org-babel-default-header-args,
org-babel-default-inline-header-args): mark as safe local variables
---
 lisp/ob-core.el         | 63 +++++++++++++++++++++++++++++++++++++++++++++++++
 testing/lisp/test-ob.el | 21 +++++++++++++++++
 2 files changed, 84 insertions(+)

diff --git a/lisp/ob-core.el b/lisp/ob-core.el
index 8fafd4b..b1a6871 100644
--- a/lisp/ob-core.el
+++ b/lisp/ob-core.el
@@ -158,6 +158,11 @@ See also `org-babel-noweb-wrap-start'."
 This string must include a \"%s\" which will be replaced by the results."
   :group 'org-babel
   :type 'string)
+(put 'org-babel-inline-result-wrap
+     'safe-local-variable
+     (lambda (value)
+       (and (stringp value)
+	    (string-match-p "%s" value))))
 
 (defun org-babel-noweb-wrap (&optional regexp)
   (concat org-babel-noweb-wrap-start
@@ -484,10 +489,14 @@ specific header arguments as well.")
   '((:session . "none") (:results . "replace") (:exports . "code")
     (:cache . "no") (:noweb . "no") (:hlines . "no") (:tangle . "no"))
   "Default arguments to use when evaluating a source block.")
+(put 'org-babel-default-header-args 'safe-local-variable
+     (org-babel-header-args-safe-fn org-babel-safe-header-args))
 
 (defvar org-babel-default-inline-header-args
   '((:session . "none") (:results . "replace") (:exports . "results"))
   "Default arguments to use when evaluating an inline source block.")
+(put 'org-babel-default-inline-header-args 'safe-local-variable
+     (org-babel-header-args-safe-fn org-babel-safe-header-args))
 
 (defvar org-babel-data-names '("tblname" "results" "name"))
 
@@ -2785,6 +2794,60 @@ of `org-babel-temporary-directory'."
 
 (add-hook 'kill-emacs-hook 'org-babel-remove-temporary-directory)
 
+(defconst org-babel-safe-header-args
+  '(:cache :colnames :comments :exports :epilogue :hlines :noeval
+	   :noweb :noweb-ref :noweb-sep :padline :prologue :rownames
+	   :sep :session :tangle :wrap
+	   (:eval . ("never" "query"))
+	   (:results . (lambda (str) (not (string-match "file" str)))))
+  "A list of safe header arguments for babel source blocks.
+
+The list can have entries of the following forms:
+- :ARG                     -> :ARG is always a safe header arg
+- (:ARG . (VAL1 VAL2 ...)) -> :ARG is safe as a header arg if it is
+                              `equal' to one of the VALs.
+- (:ARG . FN)              -> :ARG is safe as a header arg if the function FN
+                              returns non-nil.  FN is passed one
+                              argument, the value of the header arg
+                              (as a string).")
+
+(defun org-babel-one-header-arg-safe-p (pair safe-list)
+  "Determine if the PAIR is a safe babel header arg according to SAFE-LIST.
+
+For the format of SAFE-LIST, see `org-babel-safe-header-args'."
+  (and (consp pair)
+       (keywordp (car pair))
+       (stringp (cdr pair))
+       (or
+	(memq (car pair) safe-list)
+	(let ((entry (assq (car pair) safe-list)))
+	  (and entry
+	       (consp entry)
+	       (cond ((functionp (cdr entry))
+		       (funcall (cdr entry) (cdr pair)))
+		     ((listp (cdr entry))
+		      (member (cdr pair) (cdr entry)))
+		     (t nil)))))))
+
+(defmacro org-babel-header-args-safe-fn (safe-list)
+  "Return a function that determines whether a list of header args are safe.
+
+Intended usage is:
+\(put 'org-babel-default-header-args 'safe-local-variable
+ (org-babel-header-args-safe-p org-babel-safe-header-args)
+
+This allows org-babel languages to extend the list of safe values for
+their `org-babel-default-header-args:foo' variable.
+
+For the format of SAFE-LIST, see `org-babel-safe-header-args'."
+  `(lambda (value)
+     (and (listp value)
+	  (org-every
+	   (lambda (pair)
+	     (and (consp pair)
+		  (org-babel-one-header-arg-safe-p pair ,safe-list)))
+	   value))))
+
 (provide 'ob-core)
 
 ;; Local variables:
diff --git a/testing/lisp/test-ob.el b/testing/lisp/test-ob.el
index 93c026b..e7f0645 100644
--- a/testing/lisp/test-ob.el
+++ b/testing/lisp/test-ob.el
@@ -1181,6 +1181,27 @@ echo \"$data\"
 	    (list (org-get-indentation)
 		  (progn (forward-line) (org-get-indentation)))))))
 
+(ert-deftest test-ob/safe-header-args ()
+  "Detect safe and unsafe header args."
+  (let ((safe-args '((:cache . "foo")
+		     (:results . "output")
+		     (:eval . "never")
+		     (:eval . "query")))
+	(unsafe-args '((:eval . "yes")
+		       (:results . "output file")
+		       (:foo . "bar")))
+	(malformed-args '((bar . "foo")
+			  ("foo" . "bar")
+			  :foo))
+	(safe-p (org-babel-header-args-safe-fn org-babel-safe-header-args)))
+    (dolist (arg safe-args)
+      (should (org-babel-one-header-arg-safe-p arg org-babel-safe-header-args)))
+    (dolist (arg unsafe-args)
+      (should (not (org-babel-one-header-arg-safe-p arg org-babel-safe-header-args))))
+    (dolist (arg malformed-args)
+      (should (not (org-babel-one-header-arg-safe-p arg org-babel-safe-header-args))))
+    (should (not (funcall safe-p (append safe-args unsafe-args))))))
+
 (provide 'test-ob)
 
 ;;; test-ob ends here
-- 
1.8.4.2


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: 0003-mark-o-b-default-header-args-R-as-a-safe-local-under.patch --]
[-- Type: text/x-diff, Size: 1297 bytes --]

From f756b6f8a5704404323f9600af278292734d2ea5 Mon Sep 17 00:00:00 2001
From: Aaron Ecay <aaronecay@gmail.com>
Date: Mon, 28 Oct 2013 15:40:32 -0400
Subject: [PATCH 3/3] mark o-b-default-header-args:R as a safe local under
 proper conditions

* lisp/ob-R.el (org-babel-default-header-args:R): mark as a safe local
variable
---
 lisp/ob-R.el | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lisp/ob-R.el b/lisp/ob-R.el
index 74d7513..2321f64 100644
--- a/lisp/ob-R.el
+++ b/lisp/ob-R.el
@@ -65,7 +65,20 @@
 			    (output value graphics))))
   "R-specific header arguments.")
 
+(defconst ob-R-safe-header-args
+  (append org-babel-safe-header-args
+	  '(:width :height :bg :units :pointsize :antialias :quality
+		   :compression :res :type :family :title :fonts
+		   :version :paper :encoding :pagecentre :colormodel
+		   :useDingbats :horizontal))
+  "Header args which are safe for R babel blocks.
+
+See `org-babel-safe-header-args' for documentation of the format of
+this variable.")
+
 (defvar org-babel-default-header-args:R '())
+(put 'org-babel-default-header-args:R 'safe-local-variable
+     (org-babel-header-args-safe-fn ob-R-safe-header-args))
 
 (defcustom org-babel-R-command "R --slave --no-save"
   "Name of command to use for executing R code."
-- 
1.8.4.2


[-- Attachment #4: Type: text/plain, Size: 15 bytes --]

-- 
Aaron Ecay

Re: [PATCH 2/3] Mark some org-babel variables as safe locals under proper conditions

[Eric Schulte]

These look great, I've just applied them.  I had to make very minor
changes to appease the compiler (see ac9d801).

Thanks!

Aaron Ecay <aaronecay@gmail.com> writes:

> Hi Eric,
>
> Thanks for the feedback.  You are right that this could be more
> extensible.  I’m attaching a new version of patches #2 and 3 to this
> email, which should be an improvement on that front.  I also added
> docstrings, and a test.
>
> Aaron
>
> PS You were right about org-every vs. mapcar in your other message.

-- 
Eric Schulte
https://cs.unm.edu/~eschulte
PGP: 0x614CA05D

[PATCH 3/3] mark o-b-default-header-args:R as a safe local under proper conditions

[Aaron Ecay]

* lisp/ob-R.el (org-babel-default-header-args:R): mark as a safe local
variable
---
 lisp/ob-R.el | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/lisp/ob-R.el b/lisp/ob-R.el
index 74d7513..2086622 100644
--- a/lisp/ob-R.el
+++ b/lisp/ob-R.el
@@ -66,6 +66,22 @@
   "R-specific header arguments.")
 
 (defvar org-babel-default-header-args:R '())
+(put 'org-babel-default-header-args:R 'safe-local-variable
+     (lambda (value)
+       (and (listp value)
+	    (and (mapcar
+		  (lambda (pair)
+		    (and (consp pair)
+			 (or (org-babel-one-header-arg-safe-p pair)
+			     (memq (car pair)
+				   '(:width :height :bg
+					    :units :pointsize :antialias
+					    :quality :compression :res
+					    :type :family :title :fonts
+					    :version :paper :encoding
+					    :pagecentre :colormodel
+					    :useDingbats :horizontal)))))
+		  value)))))
 
 (defcustom org-babel-R-command "R --slave --no-save"
   "Name of command to use for executing R code."
-- 
1.8.4.1

Re: [PATCH 3/3] mark o-b-default-header-args:R as a safe local under proper conditions

[Eric Schulte]

I think `mapcar' should be replaced with `org-every'.  Otherwise
wouldn't *every* list value for `org-babel-default-header-args:R' be
safe?

Additionally, I think this should be done in a way which can be easily
repeated across every ob-*.el file.

Thanks,

Aaron Ecay <aaronecay@gmail.com> writes:

> * lisp/ob-R.el (org-babel-default-header-args:R): mark as a safe local
> variable
> ---
>  lisp/ob-R.el | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
>
> diff --git a/lisp/ob-R.el b/lisp/ob-R.el
> index 74d7513..2086622 100644
> --- a/lisp/ob-R.el
> +++ b/lisp/ob-R.el
> @@ -66,6 +66,22 @@
>    "R-specific header arguments.")
>  
>  (defvar org-babel-default-header-args:R '())
> +(put 'org-babel-default-header-args:R 'safe-local-variable
> +     (lambda (value)
> +       (and (listp value)
> +	    (and (mapcar
> +		  (lambda (pair)
> +		    (and (consp pair)
> +			 (or (org-babel-one-header-arg-safe-p pair)
> +			     (memq (car pair)
> +				   '(:width :height :bg
> +					    :units :pointsize :antialias
> +					    :quality :compression :res
> +					    :type :family :title :fonts
> +					    :version :paper :encoding
> +					    :pagecentre :colormodel
> +					    :useDingbats :horizontal)))))
> +		  value)))))
>  
>  (defcustom org-babel-R-command "R --slave --no-save"
>    "Name of command to use for executing R code."

-- 
Eric Schulte
https://cs.unm.edu/~eschulte
PGP: 0x614CA05D