From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 6JJzFiO+ql9VNgAA0tVLHw (envelope-from ) for ; Tue, 10 Nov 2020 16:21:55 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 2BtFEiO+ql/bfQAAB5/wlQ (envelope-from ) for ; Tue, 10 Nov 2020 16:21:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D54CF9403A8 for ; Tue, 10 Nov 2020 16:21:54 +0000 (UTC) Received: from localhost ([::1]:35688 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kcWP3-0002hg-KW for larch@yhetil.org; Tue, 10 Nov 2020 11:21:53 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35188) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcWN0-0000ya-Ei for emacs-orgmode@gnu.org; Tue, 10 Nov 2020 11:19:46 -0500 Received: from static.214.254.202.116.clients.your-server.de ([116.202.254.214]:55094 helo=ciao.gmane.io) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcWMy-0000XC-LN for emacs-orgmode@gnu.org; Tue, 10 Nov 2020 11:19:46 -0500 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1kcWMu-0003Vu-9y for emacs-orgmode@gnu.org; Tue, 10 Nov 2020 17:19:40 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Maxim Nikulin Subject: Re: Thoughts on the standardization of Org Date: Tue, 10 Nov 2020 23:19:35 +0700 Message-ID: References: <20201101161317.GA6609@maokai> <87imaoekrz.fsf@web.de> <39fb1f8d-4407-9359-ad14-72ae7841fda9@grinta.net> <87tuu85djy.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 In-Reply-To: Content-Language: en-US Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/10 09:16:09 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: 28 X-Spam_score: 2.8 X-Spam_bar: ++ X-Spam_report: (2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -0.41 X-TUID: 1IMhRHzdmZ5D > * Maxim Nikulin [2020-11-09 17:06]: >> 2020-11-08 Jean Louis wrote: >>> That is right, I am using it since years in ~/.mailcap that works well >>> for mutt email client. >>> >>> text/org; emacsclient %s; nametemplate=%s.org; >>> text/x-org; emacsclient %s; nametemplate=%s.org; >> >> Just for curiosity, couldn't it lead to execution of arbitrary code >> placed into elisp table expressions, some macro, etc.? My question is solely concerning content of an org file. Let's assume default emacs and org mode settings or customization that does not bring more weakness. I consider an attack through content of an org file obtained from network. It may be a message from a person even from usual contact list whose computer was infected by some malware. Imagine that botnet developers would notice new RFC on org mode and would add a plugin capable to add specific payload (fetching and launching its agent using elisp) if org files noticed in the host owner mailbox. I would not like to see org next to office files in security warnings. The reason why I am afraid to add emacs as a MIME handler for org files is the following. Nowadays vim is shipped with disabled (at least by default) modeline that was used to specify e.g. tab width for the particular file, but it allows to change too much settings. After skimming through the org manual, my impression is that org mode allows to override a lot of settings through "#+setup:" and other directives. I do not have a solid notion related to all possibilities to inject elisp code so I am not sure that no elisp code embedded into received file is executed during opening of the file without any user action. Viewing received file I would prefer a restricted mode at least to avoid obviously dangerous actions: - C-c C-c for src blocks - recalculation of a table field containing elisp expression accidentally fired by Tab or C-c - export (however it would require more keystrokes, so a chance to activate it is not so significant) I could miss some possibilities to activate arbitrary code. Just speculations, maybe such options are safe without modification of init.el: custom link handlers, dynamic blocks, column view. Non-emacs viewer might be safer as a MIME handler despite limited functionality. There was a thread concerning "security considerations" section of RFC discussing if the similar section of MarkDown document is suitable for org. My impression that org is much more complex. My worries if arbitrary code could be executed during just opening of a file are not directly related to standardization. However I do not think that argument on low attack probability due to negligible popularity is appropriate in the thread with discussion that standardization could make org more wide spread. 2020-11-09 22:59, Jean Louis wrote: > Quoting '%s' is > recommended. Mailcap has security issues just as file system has. I was not going to raise such issues. However I agree that in shell it is quite easy to use quotes in a wrong way. > That is why on GNU/Linux and BSD systems and other systems we have > login with username and passwords and locking screensavers. Those are > for use. Computers should be protected from malicious access. I do not see why it is relevant. Joking colleagues and angry students is another attack vector. Mail reader and emacs almost certainly have privileges to put something to user's autostart. Passwords are not involved. What could help is running a dedicated emacs used as MIME handler inside a container with restrictive mount and network namespaces. > For the same reason one shall be cautious of any packages coming from > various popular package repositories as such are not verified for > safety issues. I would prefer to not touch the subject of degree of trust in respect to external packages. Let's limit the scope to org "core", maybe even as a part of emacs distribution.