From: Jean Louis <bugs@gnu.support>
To: Tim Cross <theophilusx@gmail.com>
Cc: emacs-orgmode@gnu.org
Subject: Emails are not safe - Re: Thoughts on the standardization of Org
Date: Tue, 10 Nov 2020 01:45:54 +0300 [thread overview]
Message-ID: <X6nGokLkeVCcuh2i@protected.rcdrun.com> (raw)
In-Reply-To: <877dqujj9t.fsf@gmail.com>
* Tim Cross <theophilusx@gmail.com> [2020-11-10 00:50]:
>
> Maxim Nikulin <manikulin@gmail.com> writes:
>
> > 2020-11-08 Jean Louis wrote:
> >> That is right, I am using it since years in ~/.mailcap that works well
> >> for mutt email client.
> >>
> >> text/org; emacsclient %s; nametemplate=%s.org;
> >> text/x-org; emacsclient %s; nametemplate=%s.org;
> >
> > Just for curiosity, couldn't it lead to execution of arbitrary code
> > placed into elisp table expressions, some macro, etc.? I have not
> > convinced myself that just opening of a file (without executing of src
> > blocks) is safe enough and there no dangerous #+startup options or other
> > tricks. Emacs is too powerful and too flexible...
>
> By default, it is pretty safe. While you can customize things in such a
> way as to expose you to additional danger, you have to explicitly do
> that.
>
> There is a risk with many MIME types, for example images, word and excel
> documents etc. Even HTML can be a threat, especially if your mail reader
> supports JS and is not well engineered with security checks.
>
> No email can be considered 100% safe. However, in addition to the
> possible security consequences, you also have to consider the
> likelihood. The effort it takes to craft a malicious payload needs some
> sort of reward and while that reward might be as trivial as just causing
> mayhem, the relatively small user base for org compared to other MIME
> types is unlikely to make it an attractive mechanism. You are more
> likely to choose something more popular to put your efforts into.
In general I understand your very valid points.
When using text based email reader and non-Javascript browsers to read
emails then email is practically very safe. I never encountered any
problems in last 2 decades plus 1 year. Of course there are phishing
and tracking emails and there are bugs in various software. Mostly I
have used mutt, and for some time Thunderbird. Never had any issue
with emails.
It does not mean there are none:
https://nvd.nist.gov/vuln/detail/CVE-2020-6793
https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/
https://www.cvedetails.com/product/3678/Mozilla-Thunderbird.html?vendor_id=452
https://www.cvedetails.com/google-search-results.php?q=mutt&sa=Search
next prev parent reply other threads:[~2020-11-10 6:35 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-01 0:22 Thoughts on the standardization of Org Asa Zeren
2020-11-01 0:40 ` Dr. Arne Babenhauserheide
2020-11-01 3:08 ` Asa Zeren
2020-11-01 4:23 ` Pankaj Jangid
2020-11-01 7:54 ` Tim Cross
2020-11-01 2:28 ` Tim Cross
2020-11-01 3:39 ` Pankaj Jangid
2020-11-02 12:39 ` Eric S Fraga
2020-11-02 14:22 ` Greg Minshall
2020-11-02 14:56 ` Eric S Fraga
2020-11-02 15:23 ` Russell Adams
2020-11-02 15:31 ` TEC
2020-11-02 15:48 ` Eric S Fraga
2020-11-02 16:27 ` Carsten Dominik
2020-11-02 22:05 ` Tim Cross
2020-11-03 3:29 ` Greg Minshall
2020-11-01 5:20 ` Tom Gillespie
2020-11-01 10:25 ` Dr. Arne Babenhauserheide
2020-11-01 10:28 ` TEC
2020-11-01 18:02 ` Jack Kamm
2020-11-01 16:03 ` Asa Zeren
2020-11-01 17:27 ` Dr. Arne Babenhauserheide
2020-11-01 17:29 ` TEC
2020-11-01 18:43 ` Asa Zeren
2020-11-01 6:24 ` TEC
2020-11-01 16:13 ` Russell Adams
2020-11-01 19:46 ` Daniele Nicolodi
2020-11-01 23:10 ` Dr. Arne Babenhauserheide
2020-11-02 8:37 ` Daniele Nicolodi
2020-11-02 9:02 ` TEC
2020-11-02 11:04 ` Daniele Nicolodi
2020-11-02 13:43 ` TEC
2020-11-07 21:20 ` Jean Louis
2020-11-09 14:04 ` Maxim Nikulin
2020-11-09 15:57 ` Daniele Nicolodi
2020-11-09 15:59 ` Jean Louis
2020-11-10 16:19 ` Maxim Nikulin
2020-11-10 20:22 ` Jean Louis
2020-11-10 23:08 ` Tom Gillespie
2020-11-11 0:00 ` Tim Cross
2020-11-09 21:46 ` Tim Cross
2020-11-09 22:45 ` Jean Louis [this message]
2020-11-10 4:13 ` Greg Minshall
2020-11-10 4:49 ` Tim Cross
2020-11-10 7:12 ` Greg Minshall
2020-11-10 16:29 ` Maxim Nikulin
2020-11-10 20:35 ` Jean Louis
2020-11-10 22:30 ` Tim Cross
2020-11-11 5:03 ` Jean Louis
2020-11-11 6:40 ` Tim Cross
2020-11-27 16:49 ` Maxim Nikulin
2020-11-27 17:16 ` Jean Louis
2020-11-11 17:10 ` Maxim Nikulin
2020-11-11 17:34 ` Jean Louis
2020-11-12 3:39 ` Greg Minshall
2020-11-11 3:49 ` Greg Minshall
2020-11-02 9:53 ` Dr. Arne Babenhauserheide
2020-11-02 1:17 ` Ken Mankoff
2020-11-02 8:12 ` Russell Adams
2020-11-02 9:57 ` Dr. Arne Babenhauserheide
2020-11-03 8:24 ` David Rogers
2020-11-03 12:14 ` Ken Mankoff
2020-11-03 12:27 ` Russell Adams
2020-11-03 13:00 ` Eric S Fraga
2020-11-03 13:31 ` Ken Mankoff
2020-11-03 15:03 ` Eric S Fraga
2020-11-03 20:27 ` TEC
2020-11-03 14:38 ` Devin Prater
2020-11-03 22:03 ` David Rogers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=X6nGokLkeVCcuh2i@protected.rcdrun.com \
--to=bugs@gnu.support \
--cc=emacs-orgmode@gnu.org \
--cc=theophilusx@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).