Re: Thoughts on the standardization of Org

emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed

From: Jean Louis <bugs@gnu.support>
To: Maxim Nikulin <manikulin@gmail.com>
Cc: emacs-orgmode@gnu.org
Subject: Re: Thoughts on the standardization of Org
Date: Mon, 9 Nov 2020 18:59:17 +0300	[thread overview]
Message-ID: <X6lnVcrYqoyOhBFx@protected.rcdrun.com> (raw)
In-Reply-To: <robi94$ma$1@ciao.gmane.io>

* Maxim Nikulin <manikulin@gmail.com> [2020-11-09 17:06]:
> 2020-11-08 Jean Louis wrote:
> > That is right, I am using it since years in ~/.mailcap that works well
> > for mutt email client.
> > 
> > text/org;	emacsclient %s; nametemplate=%s.org;
> > text/x-org;	emacsclient %s; nametemplate=%s.org;
> 
> Just for curiosity, couldn't it lead to execution of arbitrary code
> placed into elisp table expressions, some macro, etc.?

The file name is created on the fly like temporarily file name. Email
does not carry file name.

But it is true that file names can be used maliciously. Only not in
the case when I am opening Org file from Mutt email client or others.

But if I would be opening Org file with some malicious file name from
other software, I guess there could be problems. Quoting '%s' is
recommended. Mailcap has security issues just as file system has.

When file is opened there is Org file. There is no automatic execution
unless user has set his system to maybe automatically execute stuff.

> I have not convinced myself that just opening of a file (without
> executing of src blocks) is safe enough and there no dangerous
> #+startup options or other tricks.

That is why on GNU/Linux and BSD systems and other systems we have
login with username and passwords and locking screensavers. Those are
for use. Computers should be protected from malicious access.

By all means you are right to be cautious with Emacs that executes
here and there all kinds of things.

For the same reason one shall be cautious of any packages coming from
various popular package repositories as such are not verified for
safety issues.

For any Emacs package never allow local file variables to be executed
unless you are sure what you are doing. Just say no if unsure.

For any package offered by some not common communication line, such as
XMPP chat, or IRC like "Hey there, look what this theme does", do not
trust without being very sure that package is verified or at least
downloaded by many people without complaints.

Any programming language is unsecure if people just execute programs
without verifying background of such programs, people behind it and
fact if many users appreciate programs.

When receiving Org file by email you should know who is person behind
it.

Only Org files I am receiving currently is from Sacha Chua, the Emacs
News as I am subscribed to it. You may subscribe too:
https://sachachua.com/blog/#text-3

-- 
Thanks,
Jean Louis
⎔ λ 🄯 𝍄 𝌡 𝌚

next prev parent reply	other threads:[~2020-11-09 16:36 UTC|newest]

Thread overview: 72+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-01  0:22 Thoughts on the standardization of Org Asa Zeren
2020-11-01  0:40 ` Dr. Arne Babenhauserheide
2020-11-01  3:08   ` Asa Zeren
2020-11-01  4:23     ` Pankaj Jangid
2020-11-01  7:54     ` Tim Cross
2020-11-01  2:28 ` Tim Cross
2020-11-01  3:39   ` Pankaj Jangid
2020-11-02 12:39     ` Eric S Fraga
2020-11-02 14:22       ` Greg Minshall
2020-11-02 14:56         ` Eric S Fraga
2020-11-02 15:23           ` Russell Adams
2020-11-02 15:31             ` TEC
2020-11-02 15:48             ` Eric S Fraga
2020-11-02 16:27               ` Carsten Dominik
2020-11-02 22:05           ` Tim Cross
2020-11-03  3:29           ` Greg Minshall
2020-11-01  5:20 ` Tom Gillespie
2020-11-01 10:25   ` Dr. Arne Babenhauserheide
2020-11-01 10:28     ` TEC
2020-11-01 18:02       ` Jack Kamm
2020-11-01 16:03     ` Asa Zeren
2020-11-01 17:27       ` Dr. Arne Babenhauserheide
2020-11-01 17:29         ` TEC
2020-11-01 18:43         ` Asa Zeren
2020-11-01  6:24 ` TEC
2020-11-01 16:13 ` Russell Adams
2020-11-01 19:46   ` Daniele Nicolodi
2020-11-01 23:10     ` Dr. Arne Babenhauserheide
2020-11-02  8:37       ` Daniele Nicolodi
2020-11-02  9:02         ` TEC
2020-11-02 11:04           ` Daniele Nicolodi
2020-11-02 13:43             ` TEC
2020-11-07 21:20             ` Jean Louis
2020-11-09 14:04               ` Maxim Nikulin
2020-11-09 15:57                 ` Daniele Nicolodi
2020-11-09 15:59                 ` Jean Louis [this message]
2020-11-10 16:19                   ` Maxim Nikulin
2020-11-10 20:22                     ` Jean Louis
2020-11-10 23:08                     ` Tom Gillespie
2020-11-11  0:00                       ` Tim Cross
2020-11-09 21:46                 ` Tim Cross
2020-11-09 22:45                   ` Emails are not safe - " Jean Louis
2020-11-10  4:13                   ` Greg Minshall
2020-11-10  4:49                     ` Tim Cross
2020-11-10  7:12                       ` Greg Minshall
2020-11-10 16:29                     ` Maxim Nikulin
2020-11-10 20:35                       ` Jean Louis
2020-11-10 22:30                         ` Tim Cross
2020-11-11  5:03                           ` Jean Louis
2020-11-11  6:40                             ` Tim Cross
2020-11-27 16:49                             ` Maxim Nikulin
2020-11-27 17:16                               ` Jean Louis
2020-11-11 17:10                         ` Maxim Nikulin
2020-11-11 17:34                           ` Jean Louis
2020-11-12  3:39                             ` Greg Minshall
2020-11-11  3:49                       ` Greg Minshall
2020-11-02  9:53         ` Dr. Arne Babenhauserheide
2020-11-02  1:17 ` Ken Mankoff
2020-11-02  8:12   ` Russell Adams
2020-11-02  9:57     ` Dr. Arne Babenhauserheide
2020-11-03  8:24 ` David Rogers
2020-11-03 12:14   ` Ken Mankoff
2020-11-03 12:27     ` Russell Adams
2020-11-03 13:00     ` Eric S Fraga
2020-11-03 13:31       ` Ken Mankoff
2020-11-03 15:03         ` Eric S Fraga
2020-11-03 20:27           ` TEC
2020-11-03 14:38     ` Devin Prater
2020-11-03 22:03     ` David Rogers
  -- strict thread matches above, loose matches on Subject: below --
2020-11-01 13:34 Gustav Wikström
2020-11-01 18:39 Asa Zeren
2020-11-03 22:30 Asa Zeren

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=X6lnVcrYqoyOhBFx@protected.rcdrun.com \
    --to=bugs@gnu.support \
    --cc=emacs-orgmode@gnu.org \
    --cc=manikulin@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).