From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id MXGVKM40ql+cWwAA0tVLHw (envelope-from ) for ; Tue, 10 Nov 2020 06:35:58 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id UCkSJM40ql9rWQAAbx9fmQ (envelope-from ) for ; Tue, 10 Nov 2020 06:35:58 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 008D0940222 for ; Tue, 10 Nov 2020 06:35:58 +0000 (UTC) Received: from localhost ([::1]:60212 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kcNG0-0007pZ-Q3 for larch@yhetil.org; Tue, 10 Nov 2020 01:35:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:45048) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcNET-0007Qd-7f for emacs-orgmode@gnu.org; Tue, 10 Nov 2020 01:34:21 -0500 Received: from static.rcdrun.com ([95.85.24.50]:42955) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcNER-0000pZ-Ak for emacs-orgmode@gnu.org; Tue, 10 Nov 2020 01:34:20 -0500 Received: from localhost ([::ffff:197.157.34.177]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C000C.000000005FAA344A.00007685; Tue, 10 Nov 2020 06:33:45 +0000 Date: Tue, 10 Nov 2020 01:45:54 +0300 From: Jean Louis To: Tim Cross Subject: Emails are not safe - Re: Thoughts on the standardization of Org Message-ID: References: <20201101161317.GA6609@maokai> <87imaoekrz.fsf@web.de> <39fb1f8d-4407-9359-ad14-72ae7841fda9@grinta.net> <87tuu85djy.fsf@gmail.com> <877dqujj9t.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <877dqujj9t.fsf@gmail.com> User-Agent: Mutt/2.0 (3d08634) (2020-11-07) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/10 01:33:40 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: oKgIigzGQVuW * Tim Cross [2020-11-10 00:50]: > > Maxim Nikulin writes: > > > 2020-11-08 Jean Louis wrote: > >> That is right, I am using it since years in ~/.mailcap that works well > >> for mutt email client. > >> > >> text/org; emacsclient %s; nametemplate=%s.org; > >> text/x-org; emacsclient %s; nametemplate=%s.org; > > > > Just for curiosity, couldn't it lead to execution of arbitrary code > > placed into elisp table expressions, some macro, etc.? I have not > > convinced myself that just opening of a file (without executing of src > > blocks) is safe enough and there no dangerous #+startup options or other > > tricks. Emacs is too powerful and too flexible... > > By default, it is pretty safe. While you can customize things in such a > way as to expose you to additional danger, you have to explicitly do > that. > > There is a risk with many MIME types, for example images, word and excel > documents etc. Even HTML can be a threat, especially if your mail reader > supports JS and is not well engineered with security checks. > > No email can be considered 100% safe. However, in addition to the > possible security consequences, you also have to consider the > likelihood. The effort it takes to craft a malicious payload needs some > sort of reward and while that reward might be as trivial as just causing > mayhem, the relatively small user base for org compared to other MIME > types is unlikely to make it an attractive mechanism. You are more > likely to choose something more popular to put your efforts into. In general I understand your very valid points. When using text based email reader and non-Javascript browsers to read emails then email is practically very safe. I never encountered any problems in last 2 decades plus 1 year. Of course there are phishing and tracking emails and there are bugs in various software. Mostly I have used mutt, and for some time Thunderbird. Never had any issue with emails. It does not mean there are none: https://nvd.nist.gov/vuln/detail/CVE-2020-6793 https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/ https://www.cvedetails.com/product/3678/Mozilla-Thunderbird.html?vendor_id=452 https://www.cvedetails.com/google-search-results.php?q=mutt&sa=Search