From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aaron Ecay Subject: Re: [PATCH 1/3] Mark ox-latex variables safe locals under proper conditions Date: Wed, 30 Oct 2013 00:15:25 -0400 Message-ID: <878uxbcs2q.fsf@gmail.com> References: <1382991543-14273-1-git-send-email-aaronecay@gmail.com> <1382991543-14273-2-git-send-email-aaronecay@gmail.com> <874n80a3id.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53952) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VbNBw-0001zl-Kw for emacs-orgmode@gnu.org; Wed, 30 Oct 2013 00:15:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VbNBo-00069r-5N for emacs-orgmode@gnu.org; Wed, 30 Oct 2013 00:15:36 -0400 Received: from mail-qe0-x233.google.com ([2607:f8b0:400d:c02::233]:62077) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VbNBo-00069k-1K for emacs-orgmode@gnu.org; Wed, 30 Oct 2013 00:15:28 -0400 Received: by mail-qe0-f51.google.com with SMTP id q19so537699qeb.10 for ; Tue, 29 Oct 2013 21:15:27 -0700 (PDT) In-Reply-To: <874n80a3id.fsf@gmail.com> List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org To: Nicolas Goaziou Cc: emacs-orgmode@gnu.org Hi Nicolas, 2013ko urriak 29an, Nicolas Goaziou-ek idatzi zuen: [...] >=20 > Thanks for the patch. It is interesting. >=20 > Out of curiosity, why did you skip other variables (e.g. > org-latex-footnote-separator)? Because these variables insert arbitrary latex code into the export output, they could be put to nefarious purposes. If I can trick you into compiling a latex document that I=E2=80=99ve inserted malicious code i= nto, AND into passing a particular non-default command line flag to latex, then I can execute arbitrary shell commands on your machine with your privileges. Since this requires user intervention in the form of specifying an additional command line flag, it could be argued that there is no security breach in allowing potentially malicious code into an export file =E2=80=93 it will fail to have its desired bad effect without the user taking further steps to weaken security.* But it is in some sense a lessening of security. I think the community has to decide what is an acceptable level of risk. One intermediate option would be to not mark these string-valued variables = as safe by default, but let users opt in to marking them safe with a function like the following, which users could choose to call in their init file: (defun org-live-dangerously () (dolist (var '(org-latex-footnote-separator etc...)) (put var 'safe-local-variable #'stringp))) Aaron * But several latex tools, including minted, which org supports, use this shell command functionality for benign purposes. So many users are probably used to turning it on, and perhaps even have configurations that enable it by default. --=20 Aaron Ecay