emacs-orgmode@gnu.org archives
 help / color / mirror / code / Atom feed
From: Max Nikulin <manikulin@gmail.com>
To: emacs-orgmode@gnu.org
Subject: [BUG][Security] begin_src :var evaluated before the prompt to confirm execution
Date: Thu, 27 Oct 2022 10:18:05 +0700	[thread overview]
Message-ID: <tjct9e$179u$1@ciao.gmane.io> (raw)

Hi,

At first I am apologizing. I believed that a dedicated report raising 
this issue was posted to this mailing list by somebody. I can not find 
such message and in my notes the heading is linked to a quite general 
discussion related to source blocks.

Consider the following source block

---- >8 ----
#+begin_src elisp :var a=(message "%s" "pwnd")
   a
#+end_src
---- 8< ----

Open the "*Messages*" buffer (C-h e) and try to evaluate the source 
block (C-c C-c).

Actual result:
"pwnd" message appears in "*Messages*" simultaneously with user prompt 
whether the code should be executed.

Expected result:
No code from the Org buffer and linked files is executed prior to 
confirmation from the user.

Emacs-26.3, Org version is current main HEAD:

6bbd08f5a 2022-10-26 15:15:42 +0800 Ihor Radchenko: 
org-datetree-insert-line: Fix blank line insertion

I consider such issues as a reason why it is bad idea to use Emacs as a 
handler for Org files downloaded from web. Such files should be 
inspected in some viewer unable to execute embedded code at first. A 
strong reason should be necessary to call Emacs for a file from 
non-trusted source.

I never considered this issue as a really urgent one because a user 
should at least hit C-c C-c to activate malicious code. It has similar 
severity as refreshing table cell formulas that would be almost unusable 
if protected by user prompt.

To be honest, this is the only real issue I have noticed since people on 
this list tried to convince me 2 years ago that Org is quite safe in 
respect to unsolicited execution of embedded code.




             reply	other threads:[~2022-10-27  3:19 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-27  3:18 Max Nikulin [this message]
2022-10-27  4:22 ` [BUG][Security] begin_src :var evaluated before the prompt to confirm execution Jean Louis
2022-10-27  4:46   ` Max Nikulin
2022-10-28  4:33     ` Ihor Radchenko
2022-10-28  3:19   ` Ihor Radchenko
2022-10-28  4:11     ` Max Nikulin
2022-10-28  7:30     ` Jean Louis
2022-10-28  3:15 ` [PATCH] " Ihor Radchenko
2022-10-28 17:12   ` Max Nikulin
2022-10-29  3:19     ` Ihor Radchenko
2022-11-10  5:55   ` Ihor Radchenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.orgmode.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='tjct9e$179u$1@ciao.gmane.io' \
    --to=manikulin@gmail.com \
    --cc=emacs-orgmode@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).