From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id GPx6Kt34WWODlwAAbAwnHQ (envelope-from ) for ; Thu, 27 Oct 2022 05:19:57 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id CBJcKt34WWP5YwEA9RJhRA (envelope-from ) for ; Thu, 27 Oct 2022 05:19:57 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7EA8A864B for ; Thu, 27 Oct 2022 05:19:56 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ontPR-0000Py-08; Wed, 26 Oct 2022 23:18:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ontPP-0000Oo-0i for emacs-orgmode@gnu.org; Wed, 26 Oct 2022 23:18:19 -0400 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ontPK-0000ni-DT for emacs-orgmode@gnu.org; Wed, 26 Oct 2022 23:18:18 -0400 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1ontPH-000AdY-GJ for emacs-orgmode@gnu.org; Thu, 27 Oct 2022 05:18:11 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: [BUG][Security] begin_src :var evaluated before the prompt to confirm execution Date: Thu, 27 Oct 2022 10:18:05 +0700 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 Content-Language: en-US Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 26 X-Spam_score: 2.6 X-Spam_bar: ++ X-Spam_report: (2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPOOFED_FREEMAIL=0.001, SPOOF_GMAIL_MID=0.001, T_SPF_TEMPERROR=0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Emacs-orgmode" Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1666840796; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=eG4+7iGhwdIAOFkxqjIDegFvpA3aDQ6060KVSz4aXHc=; b=k8bS41Ua9h61ThZ3eZpm62InTEo0/i+eUKF4UZeu123BUcjttZtA7gjwUnSvyhqBuCxh74 wESqRZ7UoXE5QFFCBxeqrFwzhMKcFHNxeTWwMMgpNsBd19kpM45WcxkaEZVuUbvatg/ocx rFRRTx6BM0O1BfrDI0VjXWsUoPOdov5gBnkqm01ribzpaGsUtbTa5PzqmUISwz05Qp0CV4 hy7CjtKsrgv+rMNBTr3HwC0Xu8ZsKNlbDeALkDSu6hiB4sgcS21SHBDF0jswuXz09Q/VYG xlLKRwHAvyh9Qz30ZZTDgxxERUS6RlhhVtAsomV2nj57fQ/KFpRF+VaQJ1/2ow== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1666840796; a=rsa-sha256; cv=none; b=KAn+QzKQdgcMA9DrRhH0Nqlczxi5SdQIngp+2sBIHAfo2zj6xtQ6es2gwTLRVze2ufyIhX OoYnf5inBWZFcP20nY1D9RAU2ETg5ci8nBmisPtEjc2XfuBD1DGmFBg/0gs941XG/Z4BJ/ MCvqYK6/tQjJlWEGt0Pucc2dKvyZ9yW10DnnagyKf5Wmk/nR7Q7imYG020D1yRWnqtHG2k 8IEdBi+nha8s+8dpYeJRqkU2UqXElr5UipKB5EGEe5406kmbUZvMeLQQXESBOfqpoBO3Mm cxWWbfjzlRInuY0QflOXkeElL9Ci/5FRO+qjdsPK/t3dYQ4S916cnrruuA+snQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 4.28 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 7EA8A864B X-Spam-Score: 4.28 X-Migadu-Scanner: scn1.migadu.com X-TUID: 0suYjvoNLgVK Hi, At first I am apologizing. I believed that a dedicated report raising this issue was posted to this mailing list by somebody. I can not find such message and in my notes the heading is linked to a quite general discussion related to source blocks. Consider the following source block ---- >8 ---- #+begin_src elisp :var a=(message "%s" "pwnd") a #+end_src ---- 8< ---- Open the "*Messages*" buffer (C-h e) and try to evaluate the source block (C-c C-c). Actual result: "pwnd" message appears in "*Messages*" simultaneously with user prompt whether the code should be executed. Expected result: No code from the Org buffer and linked files is executed prior to confirmation from the user. Emacs-26.3, Org version is current main HEAD: 6bbd08f5a 2022-10-26 15:15:42 +0800 Ihor Radchenko: org-datetree-insert-line: Fix blank line insertion I consider such issues as a reason why it is bad idea to use Emacs as a handler for Org files downloaded from web. Such files should be inspected in some viewer unable to execute embedded code at first. A strong reason should be necessary to call Emacs for a file from non-trusted source. I never considered this issue as a really urgent one because a user should at least hit C-c C-c to activate malicious code. It has similar severity as refreshing table cell formulas that would be almost unusable if protected by user prompt. To be honest, this is the only real issue I have noticed since people on this list tried to convince me 2 years ago that Org is quite safe in respect to unsolicited execution of embedded code.