From 961a3ee38a2b9521427fddea5102d003f39b88d6 Mon Sep 17 00:00:00 2001
Message-Id: <961a3ee38a2b9521427fddea5102d003f39b88d6.1666926796.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Fri, 28 Oct 2022 11:09:50 +0800
Subject: [PATCH] org-babel-read: Obey `org-confirm-babel-evaluate'

* lisp/ob-core.el (org-babel-read): Do not execute arbitrary Elisp
without prompt, according to `org-confirm-babel-evaluate'.

Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://orgmode.org/list/tjct9e$179u$1@ciao.gmane.io
---
 lisp/ob-core.el | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lisp/ob-core.el b/lisp/ob-core.el
index 518831ec6..e10ab401c 100644
--- a/lisp/ob-core.el
+++ b/lisp/ob-core.el
@@ -3165,7 +3165,16 @@ (defun org-babel-read (cell &optional inhibit-lisp-eval)
 	((and (not inhibit-lisp-eval)
 	      (or (memq (string-to-char cell) '(?\( ?' ?` ?\[))
 		  (string= cell "*this*")))
-	 (eval (read cell) t))
+         ;; Prevent arbitrary function calls.
+         (if (and (memq (string-to-char cell) '(?\( ?`))
+                  (not (org-babel-confirm-evaluate
+                      ;; See `org-babel-get-src-block-info'.
+                      (list "emacs-lisp" (format "%S" cell)
+                            '((:eval . yes)) nil (format "%S" cell)
+                            nil nil))))
+             ;; Not allowed.
+             (user-error "Evaluation of elisp code %S aborted." cell)
+	   (eval (read cell) t)))
 	((save-match-data
            (and (string-match "^[[:space:]]*\"\\(.*\\)\"[[:space:]]*$" cell)
                 (not (string-match "[^\\]\"" (match-string 1 cell)))))
-- 
2.35.1