emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
From: Aaron Ecay <aaronecay@gmail.com>
To: Nicolas Goaziou <n.goaziou@gmail.com>
Cc: emacs-orgmode@gnu.org
Subject: Re: [PATCH 1/3] Mark ox-latex variables safe locals under proper conditions
Date: Wed, 30 Oct 2013 00:15:25 -0400	[thread overview]
Message-ID: <878uxbcs2q.fsf@gmail.com> (raw)
In-Reply-To: <874n80a3id.fsf@gmail.com>

Hi Nicolas,

2013ko urriak 29an, Nicolas Goaziou-ek idatzi zuen:

[...]

> 
> Thanks for the patch. It is interesting.
> 
> Out of curiosity, why did you skip other variables (e.g.
> org-latex-footnote-separator)?

Because these variables insert arbitrary latex code into the export
output, they could be put to nefarious purposes.  If I can trick you
into compiling a latex document that I’ve inserted malicious code into,
AND into passing a particular non-default command line flag to latex,
then I can execute arbitrary shell commands on your machine with your
privileges.

Since this requires user intervention in the form of specifying an
additional command line flag, it could be argued that there is no
security breach in allowing potentially malicious code into an export
file – it will fail to have its desired bad effect without the user
taking further steps to weaken security.*  But it is in some sense a
lessening of security.  I think the community has to decide what is an
acceptable level of risk.

One intermediate option would be to not mark these string-valued variables as
safe by default, but let users opt in to marking them safe with a function
like the following, which users could choose to call in their init file:

(defun org-live-dangerously ()
  (dolist (var '(org-latex-footnote-separator etc...))
    (put var 'safe-local-variable #'stringp)))

Aaron

* But several latex tools, including minted, which org supports, use
this shell command functionality for benign purposes.  So many users are
probably used to turning it on, and perhaps even have configurations
that enable it by default.

-- 
Aaron Ecay

  reply	other threads:[~2013-10-30  4:15 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-28 20:19 [PATCH 0/3] Safe local variable declarations Aaron Ecay
2013-10-28 20:19 ` [PATCH 1/3] Mark ox-latex variables safe locals under proper conditions Aaron Ecay
2013-10-29  8:24   ` Nicolas Goaziou
2013-10-30  4:15     ` Aaron Ecay [this message]
2013-10-30  8:35       ` Nicolas Goaziou
2013-10-28 20:19 ` [PATCH 2/3] Mark some org-babel variables as " Aaron Ecay
2013-10-30  1:50   ` Eric Schulte
2013-10-30  4:19     ` Aaron Ecay
2013-10-30 18:02       ` Eric Schulte
2013-10-28 20:19 ` [PATCH 3/3] mark o-b-default-header-args:R as a safe local " Aaron Ecay
2013-10-30  1:54   ` Eric Schulte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878uxbcs2q.fsf@gmail.com \
    --to=aaronecay@gmail.com \
    --cc=emacs-orgmode@gnu.org \
    --cc=n.goaziou@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).