From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp0.migadu.com ([2001:41d0:303:e16b::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms13.migadu.com with LMTPS
	id 8HnCMkfVfmY0jQAAqHPOHw:P1
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 28 Jun 2024 15:22:47 +0000
Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0.migadu.com with LMTPS
	id 8HnCMkfVfmY0jQAAqHPOHw
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 28 Jun 2024 17:22:47 +0200
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=posteo.net header.s=2017 header.b=haem3Hn2;
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=posteo.net
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1719588167;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=KQcdSrNhS04u6ZA+9InV2Fu/OEIf5EMAiO5vLO9jKZI=;
	b=hNYcb6LLnn1T+HLPLpRW6PGcJw6kAXTsQxwt7yGbbRSL1cQ5AZ1afrb0dWDMi3k2aU0Vky
	1CtVgy4Kd1D4RwGQ0vIM1fZixDaY7rmUZ9loXO5lkSi1DTXMv9BWnECR2CdEjObmQOqIJE
	07KjGSVDXFJR+oTwJcFwUlcTHjbbIBFb8DApZl8rVeo/vr1qoHLi9fPOIZhc7CF11/HJMB
	Qtm8qIcP1D4iqOaICqvI0+M80j4+MeBfiHOiJB0l+QUO9vJzBvB/sNpmB3DZ/IGdMzhH0Q
	cluf0Q4bYdsvIZaicmjxBTxYO17vd3fvm6HHdD9qUs/JhWFZLyGesO7dDtMUag==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=posteo.net header.s=2017 header.b=haem3Hn2;
	spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=posteo.net
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719588167; a=rsa-sha256; cv=none;
	b=OazjcpOdT+1JK9vhwFIJ7CWnNeSXBZcWSrr2bNSMxbJEqsXdxalQnFn9EuD3JuEO+sBAjK
	UKEwV3A3puovAh3JagQAvvqxiqQfmTgplmBPjfCiMsYB+pFuzTS6DBl7pfcaP4834ovMaq
	4PsT+W6G5Jej2/vMpS9J7cXB0etY8ccwNxlOS5VQ+Z62qO9whchmF58tWgrcfR9eg6+3ge
	ejJLnlRp9Ui4+LLbGHpa8fR7gJzSgAel8LHf0H2PIXu0BbJCXzCdy8cRGCx4nrKikEr4b4
	rDhs8CNnLSZx5NhzUwD5zxnx7PcyIfsxt101qDISIR/zSVxPOV2yemf/j8wVeQ==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 5C703391CE
	for <larch@yhetil.org>; Fri, 28 Jun 2024 17:22:47 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces@gnu.org>)
	id 1sNDPz-0004dS-Es; Fri, 28 Jun 2024 11:21:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@posteo.net>)
 id 1sNDPx-0004dD-5t
 for emacs-orgmode@gnu.org; Fri, 28 Jun 2024 11:21:41 -0400
Received: from mout02.posteo.de ([185.67.36.66])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <yantar92@posteo.net>)
 id 1sNDPs-0007zw-Ir
 for emacs-orgmode@gnu.org; Fri, 28 Jun 2024 11:21:40 -0400
Received: from submission (posteo.de [185.67.36.169]) 
 by mout02.posteo.de (Postfix) with ESMTPS id 45330240103
 for <emacs-orgmode@gnu.org>; Fri, 28 Jun 2024 17:21:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017;
 t=1719588093; bh=9K94Ox9MfUH88W4MXcAQySSHidSRS9/FemQEXa0QvVw=;
 h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type:
 From;
 b=haem3Hn2QRCDRCcn/UB1Avwzq5b0vhvdRhXq8CP7s0p1m3nic4WpncIs1Z3JfprWV
 EcpxmjjDOnpalO8mRbY6FHPMy+7hoMa71qSeEvT3FIyk2wHeK8C+CFXOBzFXqa9GQE
 9KpH6r3E5RGq2b8wbhL38LK3l1A8FBakU4ATZ1RvlSzjmVBg8xRknpAWxIswcble5b
 iblXfdN/zlc/eS261/GQ9rQ9aoFaosbsLdm19r0Mpbf+S+hJEpsDe2FHeP3KutzdwD
 DLVOG99TE11gR2sociYOlSL2pnrdNxDylZTbW2ejDq67jgf6HTaTvbnj1ist0uMmML
 8sqcDlf6ngYPQ==
Received: from customer (localhost [127.0.0.1])
 by submission (posteo.de) with ESMTPSA id 4W9fKm5NZvz6tm8;
 Fri, 28 Jun 2024 17:21:31 +0200 (CEST)
From: Ihor Radchenko <yantar92@posteo.net>
To: emacs-orgmode@gnu.org
Cc: Bastien <bzg@gnu.org>, Steven Allen <steven@stebalien.com>
Subject: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs
 (was: [ANN] Emergency bugfix release: Org mode 9.7.5)
In-Reply-To: <87sex5gdqc.fsf@localhost>
References: <87sex5gdqc.fsf@localhost>
Date: Fri, 28 Jun 2024 15:23:10 +0000
Message-ID: <87tthd6qht.fsf@localhost>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net;
 helo=mout02.posteo.de
X-Spam_score_int: -43
X-Spam_score: -4.4
X-Spam_bar: ----
X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-orgmode@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-Migadu-Queue-Id: 5C703391CE
X-Migadu-Scanner: mx13.migadu.com
X-Migadu-Spam-Score: -9.54
X-Spam-Score: -9.54
X-TUID: 6kgDDCN2gtWF

Ihor Radchenko <yantar92@posteo.net> writes:

> I just released Org mode 9.7.5 that fixes a critical vulnerability.
> The release is coordinated with emergency Emacs 29.4 release.

This one is another potential issue (or a feature) we have found while
discussing the main vulnerability.

Currently, one can create an Org file like

#+LINK: https https://fake-gmail-login-page.xyz/
[[https://gmail.com]]

And the "https" link will actually be expanded according to the
abbreviation.  In other words, abbreviations take priority over the link
types in Org mode.

As illustrated above, one can try to trick user into clicking the above
"gmail" link, redirecting to completely different page instead.

On the other hand, I can totally see people making use of the current
behavior to have custom filters for existing link types. For example, to
redirect to archive.org when opening web links.

I am inclined to call this a feature, and leave the current behavior
unchanged, but would like to hear from others first.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>