From mboxrd@z Thu Jan  1 00:00:00 1970
From: Aaron Ecay <aaronecay@gmail.com>
Subject: [RFC] [PATCH] allow bind keywords to set safe values
Date: Fri, 06 Nov 2015 18:09:28 +0000
Message-ID: <8737wjuhif.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Return-path: <emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57935)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aaronecay@gmail.com>) id 1ZulSB-0001rd-MZ
	for emacs-orgmode@gnu.org; Fri, 06 Nov 2015 13:09:41 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <aaronecay@gmail.com>) id 1ZulS7-0002oC-G3
	for emacs-orgmode@gnu.org; Fri, 06 Nov 2015 13:09:35 -0500
Received: from mail-wi0-x229.google.com ([2a00:1450:400c:c05::229]:37155)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <aaronecay@gmail.com>) id 1ZulS7-0002nl-3h
	for emacs-orgmode@gnu.org; Fri, 06 Nov 2015 13:09:31 -0500
Received: by wiva10 with SMTP id a10so588149wiv.0
	for <emacs-orgmode@gnu.org>; Fri, 06 Nov 2015 10:09:30 -0800 (PST)
Received: from localhost (natvip7.york.ac.uk. [144.32.240.7])
	by smtp.gmail.com with ESMTPSA id
	ft4sm1222018wjb.37.2015.11.06.10.09.29 for <emacs-orgmode@gnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 06 Nov 2015 10:09:29 -0800 (PST)
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
To: orgmode <emacs-orgmode@gnu.org>

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello all,

BIND keywords should be used for controlling export, rather than the
usual emacs method of setting file local variables
<http://mid.gmane.org/87eglcbv7g.fsf@selenimh.access.network>.  But,
BIND keywords are currently disabled by default.  We can=E2=80=99t turn the=
se on
by default, as maliciously crafted documents could do nasty things to a
user=E2=80=99s emacs.  The attached patch permits many interesting usages of
BIND keywords by allowing them to set variables by default, as long as
the value thus set is safe (as implemented by emacs=E2=80=99s default file =
local
variable code).

Comments welcome.

Thanks,

--=20
Aaron Ecay

--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline;
 filename=0001-Allow-bind-keywords-to-set-safe-values.patch

>From a0650372cafa6debf1465624c2cc23dd01aa7083 Mon Sep 17 00:00:00 2001
From: Aaron Ecay <aaronecay@gmail.com>
Date: Fri, 6 Nov 2015 17:51:09 +0000
Subject: [PATCH] Allow bind keywords to set safe values

* lisp/ox.el (org-export-allow-bind-keywords): Add new `safe' value.
(org-export--list-bound-variables): Use it.
* doc/org.texi (Export settings): Update doc.
---
 doc/org.texi | 18 +++++++++++++++---
 lisp/ox.el   | 20 ++++++++++++++++----
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/doc/org.texi b/doc/org.texi
index c57cc41..6abf5ad 100644
--- a/doc/org.texi
+++ b/doc/org.texi
@@ -10708,6 +10708,7 @@ properties (@pxref{Properties and columns}).  Options set at a specific level
 override options set at a more general level.
 
 @cindex #+SETUPFILE
+@anchor{SETUPFILE}
 In-buffer settings may appear anywhere in the file, either directly or
 indirectly through a file included using @samp{#+SETUPFILE: filename} syntax.
 Option keyword sets tailored to a particular back-end can be inserted from
@@ -10948,9 +10949,20 @@ properties.
 @cindex #+BIND
 @vindex org-export-allow-bind-keywords
 If @code{org-export-allow-bind-keywords} is non-@code{nil}, Emacs variables
-can become buffer-local during export by using the BIND keyword.  Its syntax
-is @samp{#+BIND: variable value}.  This is particularly useful for in-buffer
-settings that cannot be changed using specific keywords.
+can become buffer-local during export by using the BIND keyword.  Setting the
+variable to @code{t} allows variables to take on all values.  Setting it to
+the symbol @code{safe} (the default) only allows safe values.  (@pxref{Safe
+File Variables,,,emacs,The Emacs Manual}) The syntax of a BIND keyword is
+@samp{#+BIND: variable value}.  The text of @samp{value} will be passed to
+the elisp @code{read} function.@footnote{This means that strings should be
+surrounded with double quotes, but symbols and lists will be read literally
+and need not be quoted for lisp with a single quote.}  The BIND keyword is
+particularly useful for in-buffer settings that cannot be changed using
+specific keywords.@footnote{You should not use the usual emacs local variable
+convention (@pxref{Specifying File Variables,,,emacs,The Emacs Manual}),
+because these notations could be lost during the export process.}  It is also
+useful for collecting common variable settings in a setup file shared between
+several documents (@pxref{SETUPFILE}).
 
 @cindex property, EXPORT_FILE_NAME
 The name of the output file to be generated is taken from the file associated
diff --git a/lisp/ox.el b/lisp/ox.el
index eb1af9b..e257c1f 100644
--- a/lisp/ox.el
+++ b/lisp/ox.el
@@ -832,14 +832,22 @@ can also be set with the OPTIONS keyword, e.g.  \"todo:nil\"."
   :group 'org-export-general
   :type 'boolean)
 
-(defcustom org-export-allow-bind-keywords nil
+(defcustom org-export-allow-bind-keywords 'safe
   "Non-nil means BIND keywords can define local variable values.
 This is a potential security risk, which is why the default value
-is nil.  You can also allow them through local buffer variables."
+is nil.  You can also allow them through local buffer variables.
+
+See the documentation for `safe-local-variable-p' and the
+node (info \"(emacs) Safe File Variables\") for information on
+the safety setting."
   :group 'org-export-general
   :version "24.4"
   :package-version '(Org . "8.0")
-  :type 'boolean)
+  :type '(choice
+	  (const :tag "Never" nil)
+	  (const :tag "Only if safe" safe)
+	  (const :tag "Always" t))
+  :safe (lambda (x) (memq x '(nil safe))))
 
 (defcustom org-export-with-broken-links nil
   "Non-nil means do not raise an error on broken links.
@@ -1646,7 +1654,11 @@ an alist where associations are (VARIABLE-NAME VALUE)."
 			 (let ((val (org-element-property :value element)))
 			   (if (equal (org-element-property :key element)
 				      "BIND")
-			       (push (read (format "(%s)" val)) alist)
+			       (let* ((pair (read (format "(%s)" val))))
+				 (when (or (eq org-export-allow-bind-keywords t)
+					   (safe-local-variable-p
+					    (nth 0 pair) (nth 1 pair)))
+				   (push pair alist)))
 			     ;; Enter setup file.
 			     (let ((file (expand-file-name
 					  (org-remove-double-quotes val))))
-- 
2.6.2


--=-=-=--