From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id QGdrAT02wWVq9AAAqHPOHw:P1 (envelope-from ) for ; Mon, 05 Feb 2024 20:25:49 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id QGdrAT02wWVq9AAAqHPOHw (envelope-from ) for ; Mon, 05 Feb 2024 20:25:49 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=umanitoba.ca header.s=selector2 header.b="Rm/jxcYW"; dmarc=pass (policy=none) header.from=umanitoba.ca; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; arc=pass ("microsoft.com:s=arcselector9901:i=1") ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1707161148; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=+LuktXDNHs0xLcSBWayQGrmczRPPHJVmU+HTc+ulIds=; b=QC3crtJybPmB0TlrYScmLenXtYPeFZBZd7UpLU6UrNkzvKPvhmJJBz7KjG/5iJ+AS5mAcm JywiQDGAz+mI/XVOdxITBYJBAJFgdyJEfRcFf2Y3WN0VYnPdOWFQZEpPz7wRrwj6HfqhXP oBpbm64ajO9usdRz6j8NjYQP9BRRTNf9kjsjVdjJ4/7HmTHZ1Uv/i5IlMS8JNF5+3ng9Rr /vhAJPfzcVtTltZ3DwMHrs2ZppnM686D/A3/Q2sAbXmxCrKeW5CxHSeU4pl/QA760IB3+I 2yNH2AI6f7mB4R1cQIuWvnOObkaTpMZI+3zDJeTMvrEBvl8JNWP0BZ1UVKqmaQ== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=pass header.d=umanitoba.ca header.s=selector2 header.b="Rm/jxcYW"; dmarc=pass (policy=none) header.from=umanitoba.ca; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; arc=pass ("microsoft.com:s=arcselector9901:i=1") ARC-Seal: i=2; s=key1; d=yhetil.org; t=1707161148; a=rsa-sha256; cv=pass; b=GUqoMC6/+fv0aVH1YmY3Bt27hZcRL01UPQugTU8d09qd3tipaNTBZjJ+caSJaJqN4Innq9 RXwaovKVNzXSnOMGcsHjpB0/5G8CG/aL55hMGUGP+hSKIydAPI4kj0FT3rRyR0hwznFzzG sxou3mQUu7qNMaRDCg+nHzC2wqQgh+OMttCGsw5s1TW5pFi1hdnhmbBTsEgw80zhC1G6QL lAi35NyrHWT6P1Ax4x9vkkQKTnsU1wQ0yuZyQIf1X3qO8I+8ydCVRRyPFxh+sH/EdB9hpX uw9moultHZp9jLPnluGCwOX7aF1J9cLgfduqJDQ7ch1rpstoPeYRW/9jYh979w== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2E28F64C4C for ; Mon, 5 Feb 2024 20:25:48 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rX4aP-0000QT-H3; Mon, 05 Feb 2024 14:24:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rX4aM-0000QD-6X for emacs-orgmode@gnu.org; Mon, 05 Feb 2024 14:24:54 -0500 Received: from mail-yqbcan01on20701.outbound.protection.outlook.com ([2a01:111:f403:241d::701] helo=CAN01-YQB-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rX4aJ-0002Ro-Ni for emacs-orgmode@gnu.org; Mon, 05 Feb 2024 14:24:53 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Sj8+qO+k7vbJhbHc7qxS8LbuKDfHxfOqRstiwyT4wE/tl851gOlnv3KLvyOn3tEmE6a+O+rymrNyazBHA5whNoe4Y54IWdkILXJEjGbjyJ5fxu1iZFttBhZnUtpRA6Xtt5Lfjal/YglArqsV+ddneRkr/be7yBIQkpd1eEHWOSEwS4o0Ykwh41mZkzQtEQIch6MOpfI6TPX0+SjTq6A5pYcf321x8isnFVLc3oi8it6GePsrPjeu4EDJ48Gvmq6Ny8htj8NkXcC10FnOLotVyQPm4fLoPs5clnda48Y7oRNMnoJ+Uc7hYq4m8347rJrS0pSunuGcMuTRqRBW+F1sTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+LuktXDNHs0xLcSBWayQGrmczRPPHJVmU+HTc+ulIds=; b=X06mKkFJ5hPjtVhVsglBTycgnKTaIj0iRshRbhoP0JUIgR5OabT0PglVOf019jaRTbQbcEZWAjBLOhlOvBMQZ4FGErmHKD4Dpj3imPXbqmVe68x4zPRXIPniDdZM2OgGNtNU29F5IttbsfPjZs5EDv8abuQO4tYJ3lzdGbjGzW92QIzFJAQgwhTMvxdl0jm1nmG09XDeMFsk6H5TJfPEdvvSV+tafGcb7qHc2T5QlGkanGqD/hrOO4qCJCoJwgjJHGMYccjrSbsbjMl/IyZGRPX632yaBuw7OnrODjKUaGu9Cm87Xs8lJOB1EPYvWcnZIHBEebDX0G00ZywiEy1Xyg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=umanitoba.ca; dmarc=pass action=none header.from=umanitoba.ca; dkim=pass header.d=umanitoba.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umanitoba.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+LuktXDNHs0xLcSBWayQGrmczRPPHJVmU+HTc+ulIds=; b=Rm/jxcYWO+/3+PcK6JpDOqrL9lRw5SztEmk+SNYsgpz2+5Mc9uvQxnnmxyGxAdxOMfV+MVZ9VY7c9t21iOo5n3QWwIIzPAzfOWmB97eRPvQ8QcWFxDT8BBdiRO8Uiua4/e3eawaC346cZWtF2g5DhT7YQ9rTbO4vu9cnFIYY9uUZBgrP5cxVqfV/+BNkYfWYKdEyv+lw8Vr5AS8+b/v6fIqtRcUyfsFyBp6lTbxtk7NwlbHXaET5Hg2JJ6InSY8wA94R4hMZKLOq4Fu0kDLEN9CoukFwLmIabKCYDd4Fs0XIk6MOPW08JFZGJi2u5jlxBAPphbfdPkENvb8knB3YqQ== Received: from YT3PR01MB9964.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:90::5) by YQBPR0101MB8138.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:58::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.36; Mon, 5 Feb 2024 19:19:45 +0000 Received: from YT3PR01MB9964.CANPRD01.PROD.OUTLOOK.COM ([fe80::463b:633a:3702:d6d3]) by YT3PR01MB9964.CANPRD01.PROD.OUTLOOK.COM ([fe80::463b:633a:3702:d6d3%6]) with mapi id 15.20.7249.032; Mon, 5 Feb 2024 19:19:45 +0000 From: Leo Butler To: Max Nikulin CC: "emacs-orgmode@gnu.org" Subject: Re: [BUG] Unsolicited download of remote resources Thread-Topic: [BUG] Unsolicited download of remote resources Thread-Index: AQHaVgquD8NgdJq/Ika5JRTjsF+s1w== Date: Mon, 5 Feb 2024 19:19:45 +0000 Message-ID: <87il323ei7.fsf@t14.reltub.ca> References: <87h6iq662c.fsf@t14.reltub.ca> In-Reply-To: (Max Nikulin's message of "Sun, 4 Feb 2024 19:45:02 +0700") Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Gnus/5.13 (Gnus v5.13) x-ms-publictraffictype: Email x-ms-traffictypediagnostic: YT3PR01MB9964:EE_|YQBPR0101MB8138:EE_ x-ms-office365-filtering-correlation-id: 61af370d-ab8f-4416-04b6-08dc267f69e0 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 8vAkxM2tC26sPhP+t3tc+Wf4J7SCGatcRi+wB3P25jY2+OTI+zWBm30QRDQzhGcokYPbnmc02xEG6K+fguMsDtXPKZHU9RpGt72WWAjadn9LCU5pieU8MQpuG0vys3By6v6qUh5bM1XAkL8RsmfDA3o2AXE77KwxdNzytCrLJaQC9t4EuUXJ2Sb8Sax2ykaocrx5kdEPBxK2ddl4zcT2b2rG5ta2rifnp/9PfaXioGewHjv6gSieSi2YURm3GlT2grXGCJHpHp9odPN8wKm8nNc9S2/PIZz2OYgnJqnSa0nIqsDCeWkaoCbgTDeSrtvlBmq2Wmr4D1GxNSLsyARb9H39wzgLFRdesSmu3kKE885RN3GRNZp+9RSsEetS+uKtEBSDia+I1fT5gq8YCAazdfb+oo6XZmlTN/zU0/0X1zgo4Fv4DkfaP7UO5pEW+a0klbIVgpvE/vXybEmonIqNtqejDxvBkgg0QlafUC0zGobM4UWW7R06gtwczhcyikcKQYlz+rVfWSR4nyC1SkNFkUvn93bxwWg7FQTJaDdZv8tqopCsn685E4qwICh0GBjrBrnoUa2S7jExd7q0bMpJYuxzx6rt4bF3tMGJjETDoQU= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YT3PR01MB9964.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(136003)(396003)(376002)(346002)(366004)(230922051799003)(186009)(451199024)(1800799012)(64100799003)(66899024)(26005)(86362001)(41300700001)(966005)(6486002)(5660300002)(2906002)(38070700009)(64756008)(66476007)(316002)(786003)(76116006)(6916009)(66556008)(66946007)(66446008)(478600001)(8936002)(8676002)(4326008)(6512007)(9686003)(71200400001)(6506007)(53546011)(38100700002)(122000001)(83380400001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?gAnE6pMePzxttt0eL8lfA/gQRe8BBeKAzoEw4M87GmQoih1cH3InHvoCwD?= =?iso-8859-1?Q?Gl9RFBdZ2tC94TmRUczwoyRYumQiWcgxl+M0ijBApD3MjJ3ytRCaBU/WTM?= =?iso-8859-1?Q?XWc6L1Fd+1AmDmwT0qnkB/L9kkO5rCac8pjseX9rENWYbpIsCOGffp8Gio?= =?iso-8859-1?Q?CNnRJJ7vgT6VAaeGywuOD6/TDnO+yrfFw8/6y3WkicOg1EwCiBai3sjY4z?= =?iso-8859-1?Q?WWfj892Wn26d4cErbjkM2GpJXH7ZhbnfRNyS4i99e87lSDD1SSDkIzERNc?= =?iso-8859-1?Q?f8lhKKYjhPh5UVG7rJWxWd3ItY5GFJUolptqSCwwOi/JhQORpiUTKkx8qx?= =?iso-8859-1?Q?sgI+ptrOeOtIYhFbWKrKQnPRo3/hN/UN6FcRjrXoYscdwPChFJ5K8KFDiZ?= =?iso-8859-1?Q?m7QpomesIYl6rqOUltddOMRllHT5sqdvOh14ppYstRqHxglzNJjs13SZ97?= =?iso-8859-1?Q?EFeRuLoGyI+jf77xyjY3+vP5A8PJOAM/Sl3cp+qVWoFP2cMCVy8EfLdPdU?= =?iso-8859-1?Q?OKzRZ8iMdUwEXL/r6uzIasRnj60+0oJgWIBjdICMJ2YR6Ot7QYppyiCaUz?= =?iso-8859-1?Q?NVA9eGfhdpJ9DMkgW0Yq9VuNqxVxhI1lCV/bxYKIqT0acDHJWxs2q+8oZm?= =?iso-8859-1?Q?76hD2vXy+GL8VWN8S1SBA61yB8/hLSf8VuKCK3pn8f6SgSYg9qFmOeQ0VR?= =?iso-8859-1?Q?iTI85t32/ULOZPyWpwCVWkAAX4AknIgxK9ZmEz3jbhPBSu8xHTlvWB3gRN?= =?iso-8859-1?Q?Z8xABUcGQKV2WIIeSAeZ/0Z+pfQyI3xkWHUGnmQeFN57bz0mDhCXNIFp29?= =?iso-8859-1?Q?PcCf6RrXwnG+6Qwk8qzkApebJNow+giYvyTzBHKNvzolHXxJA9EPU4e7L3?= =?iso-8859-1?Q?QjOSxAMghw4q5helck0CwPDy2mOleqOL0BVt0S4nB6zeYHnYOKrg+tCx+Y?= =?iso-8859-1?Q?3RjHyxfzeJrgsWd66/yg1cLn7kxTbqqhdEBRFfxSAPjl//cRXCriuGzTIK?= =?iso-8859-1?Q?9M5mraVGDsWmbz9+Q5varsYG6uPuNlBwage77RCKc4dqcJZeYvts10cGQ8?= =?iso-8859-1?Q?zWN6l4B+1pnYj9wVEObsUhH9ZF3iVPHFdNdFSQ9bpM2Wc1JalaDhrdjs3m?= =?iso-8859-1?Q?Oyqgx6Jk2eWuey5IHoZ8uj8ikQljCis63nEMUhOwNxzniOP0jbuY7/ujab?= =?iso-8859-1?Q?QzDDhuHOAOSyZHz6+/4nh5JixNCFzfcDmROAn50BX2ICD9yuCaxRyWiwN3?= =?iso-8859-1?Q?N9ctbflZRR3Z5untrcTJ/K5EQtltM0Gll+36jaHe8zC6BdTprncZ/OJbnx?= =?iso-8859-1?Q?U/Apy7ITEawZldkRVz6f3SMuXtTX48EzC+gIx+jaOURXOEkHBZPPCTytz7?= =?iso-8859-1?Q?L4HRVV714ev6Q9dlsNCcopMZASBrwiWY34SeMcWlrV+Ia1fGbPz7EZEkGS?= =?iso-8859-1?Q?9rYKY4qMHqyLHyZ4ev3HSLXqyeHs+SGWLlXdsAmg08+1yNPHULTG1PXCxu?= =?iso-8859-1?Q?5nCcp4NhbnsHPXWh6S6eFVlh9JgMzZOBiSs0QXWJFRpU92ER7Wn3hW7KER?= =?iso-8859-1?Q?wMwvYxXt7MjFk7cCa+FURviVyordtrAtSrzpmyi8MoAFnkVOQzsyJL209Q?= =?iso-8859-1?Q?my7Gd9eeCybcYu3WuodYKa0UPPfKDqLNRXH4hZfVGp2gLJtK58aIij3g?= =?iso-8859-1?Q?=3D=3D?= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: umanitoba.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YT3PR01MB9964.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 61af370d-ab8f-4416-04b6-08dc267f69e0 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Feb 2024 19:19:45.8708 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 4f80dd0b-338c-4e4c-8a14-90446962f7b8 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: oiqm8D8spCyWd1ZQQ2nW1I7MUgUhHeHRb9svz1o04N+PMVWg+tlRVLwNz/FzFMqbsC591emQE/VNVF3B1y4XAA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB8138 Received-SPF: pass client-ip=2a01:111:f403:241d::701; envelope-from=Leo.Butler@umanitoba.ca; helo=CAN01-YQB-obe.outbound.protection.outlook.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -6.87 X-Spam-Score: -6.87 X-Migadu-Queue-Id: 2E28F64C4C X-Migadu-Scanner: mx12.migadu.com X-TUID: spXLe0TCnT/i On Sun, Feb 04 2024, Max Nikulin wrote: > On 03/02/2024 02:04, Leo Butler wrote: >> When I opened your email in Gnus, I was greeted with the same >> (bewildering) message. Given that Org still tried to download the >> setupfile after being told not to, I think this is a majour security >> hole. >> This is also related to another thread concerning Org and email. >> https://list.orgmode.org/orgmode/87cyteyhif.fsf@localhost/ > > Sorry for sending a message with this kind of attachment, but from the > discussion of that Emacs bug I expected that almost no Gnus users > should be affected since their media type handler is set for > text/x-org while Thunderbird uses "Content-Type: text/org". > > I would not classify this kind of issues as security ones. I am > unaware of Org features that may make content of "#+setupfile:" more > dangerous than the same snippet is included into attachment > directly. (OK, antivirus might have a chance to detect something as > dangerous code and "#+setupfile:" would bypass such protection.) > > I consider it as a privacy issue. It may allow spammers to track if > their messages are delivered successfully. There's no need to apologize--I was surprised at the whole episode. Q: if #+setupfile points to a real file available to download, does Org evaluate that file? Leo=