From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id yJt6CAnefmaMagEAe85BDQ:P1 (envelope-from ) for ; Fri, 28 Jun 2024 16:00:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id yJt6CAnefmaMagEAe85BDQ (envelope-from ) for ; Fri, 28 Jun 2024 18:00:09 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=stebalien.com header.s=fm1 header.b="K OQxUNU"; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=TZ3Q113Q; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=stebalien.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719590409; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=T8fPRxQZKsNjgTo1U98iolP20+09uVKoG5Ct0AgcKD8=; b=TfFYExEiS+632LkIzNsSR612JJVSct6/OdG0TNlT13/1SyWtuJPFzKuqRQTEdo1DZxRcMC h1b0KuuBfM4AkOlSyL42tvGCYDu1oj9yyxGcDXaCVkNHN8NieskoFXj/FsSG3kurWMQRhn Ji8jD4ES+ONbyyz3+0z05eMandX7nHwBHI6Isbs6OCfx59PGwBHi5DgXIfswJygcx+aK6z IjQ2yED5uvs/zBCRKxGiwkhKD1xTSqa0STLW+JgnAlEExjIxgOmyltcuZYaNJxuhZS8vgH oS7Syl3olyRSqCFaywRMbB4eN5YASOV7Edikbp8d+JHv5LW1ayFtYYm34omdyA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=stebalien.com header.s=fm1 header.b="K OQxUNU"; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=TZ3Q113Q; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=stebalien.com ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719590409; a=rsa-sha256; cv=none; b=PnJbltQ/wv+FGC5iz4HgWY9u3ynuEK73dBNFKQntuQZA3pYEmiJpEywHcN+AdafXtTEifL anL1rSzqapXrQOq4Oa3jzimWU9ZbBtRn9VOPGe/fCH1tEVuyLnF/QmNWJXtlVPnVoVvwTI w7Y2PGy15E1WLSrDyKZrYswo34GKuNTMlhhU4EO586ClCinLo6deDWk7pDFm6rnecRINeC zxdW+HBjHBl8ndJDXlyAIM6kYuj9pw+VLmSGhsjmaCOP+RygcTRYySus2upu7wBWy/Yic3 KvmYA8/yEndjDswUYdou6TkMfQL4CNzAYG29kxUwdNap96mLVYJjr9SaE+QgIA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7A06FE7EF for ; Fri, 28 Jun 2024 18:00:08 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sNDtR-0000iA-JK; Fri, 28 Jun 2024 11:52:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sNDtQ-0000hz-3Q for emacs-orgmode@gnu.org; Fri, 28 Jun 2024 11:52:08 -0400 Received: from fout7-smtp.messagingengine.com ([103.168.172.150]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sNDtO-0007cB-Ax; Fri, 28 Jun 2024 11:52:07 -0400 Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfout.nyi.internal (Postfix) with ESMTP id BA0701380252; Fri, 28 Jun 2024 11:52:03 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Fri, 28 Jun 2024 11:52:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stebalien.com; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1719589923; x= 1719676323; bh=T8fPRxQZKsNjgTo1U98iolP20+09uVKoG5Ct0AgcKD8=; b=K OQxUNU4AmHPMi8lsK9tm0wblhgUr4wOwc3oE4uCr0IP4B3F51RZplyzc9RxXoSwM 8Ff+J7RrnVF1ev7IhhQBa6fSPyta6/BTuMJVMNGZYrtnhY+5FsFPb95dY+By21UM FLZYvGFaMmJ52dWRBfrnwZuugkE5+a2bJjLiVGBBU3XiDu8Ja6/kgAMplmslIVwX uz5IjBC4n3t7WyoNPTlpmbxTq0da+DFcJM0WbzC/dWU8qHWVuaWo8sqJ9GGc0E0Q i3Ghc8qIIU1WWeYvhfalg6b4Ap0ILeMIRbUYaYRrQOq0jAFEBR6t+n3Fm6YbRAe8 4fDm3NPL3zypi+X2SunbA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1719589923; x=1719676323; bh=T8fPRxQZKsNjgTo1U98iolP20+09 uVKoG5Ct0AgcKD8=; b=TZ3Q113Q2z2GNUbNEGAznLAuoAiakk+Cp6ZptNC0kd0r Kiwn954BpA53MEfz/GGgfKosYEfl9PnaoTRxdJVgExBgHQ2BRQj4Vmm70dRmN3N6 yaw6kHp5KM4X1D1e1CygA3tKvlTo2y9WTJX48tWWUQdM/d36dA0BrkscAGdBhV04 PWJSOix2QO9/PFhs7N/1I4BNWE3iRRtLXcy5mdeI9O+guH20xhozFqpF+cIf1OpA CjEdXkUeXsbM9MzuENlZ0WOrt5IHyoI4drWOmzRzHHGXAu1LlPzwdwsvR4T5mIer p/++J73RpwMGwnuRLWLqopiZJPziHbvF6cI7O7thbA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrtdejgdefkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecufghrlhcuvffnffculddvfedmnecujfgurhephffvve fujghffffkgggtsehttdertddttddtnecuhfhrohhmpefuthgvvhgvnhcutehllhgvnhcu oehsthgvvhgvnhesshhtvggsrghlihgvnhdrtghomheqnecuggftrfgrthhtvghrnhepgf fhheffvefhhfegudeihfffledtgfeigeelveegfeefhfevudelffefgedugefhnecuffho mhgrihhnpehfrghkvgdqghhmrghilhdqlhhoghhinhdqphgrghgvrdighiiipdhgmhgrih hlrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhho mhepshhtvghvvghnsehsthgvsggrlhhivghnrdgtohhm X-ME-Proxy: Feedback-ID: ie8a146a7:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 28 Jun 2024 11:52:03 -0400 (EDT) From: Steven Allen To: Ihor Radchenko , emacs-orgmode@gnu.org Cc: Bastien Subject: Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5) In-Reply-To: <87tthd6qht.fsf@localhost> References: <87sex5gdqc.fsf@localhost> <87tthd6qht.fsf@localhost> Date: Fri, 28 Jun 2024 08:52:00 -0700 Message-ID: <87sewxoyjj.fsf@stebalien.com> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=103.168.172.150; envelope-from=steven@stebalien.com; helo=fout7-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -7.04 X-Migadu-Queue-Id: 7A06FE7EF X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -7.04 X-TUID: 9I1CWXioX3e+ Ihor Radchenko writes: > Ihor Radchenko writes: > >> I just released Org mode 9.7.5 that fixes a critical vulnerability. >> The release is coordinated with emergency Emacs 29.4 release. > > This one is another potential issue (or a feature) we have found while > discussing the main vulnerability. > > Currently, one can create an Org file like > > #+LINK: https https://fake-gmail-login-page.xyz/ > [[https://gmail.com]] This is no different from: [[https://fake-gmail-login-page.xyz][https://gmail.com]] In both cases, mousing over the link will show you the actual target address. On the other hand, having different faces for "plain" links (links where the text in the buffer matches the link target) and special links would be kind of nice.