From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id gOUgOPMOm2OaRwAAbAwnHQ (envelope-from ) for ; Thu, 15 Dec 2022 13:11:31 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id ULn/N/MOm2OUBAEAauVa8A (envelope-from ) for ; Thu, 15 Dec 2022 13:11:31 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C22DFA3A3 for ; Thu, 15 Dec 2022 13:11:31 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p5n4Y-00049i-25; Thu, 15 Dec 2022 07:10:46 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p5n4W-00049P-5u for emacs-orgmode@gnu.org; Thu, 15 Dec 2022 07:10:44 -0500 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p5n4U-0006UD-IH for emacs-orgmode@gnu.org; Thu, 15 Dec 2022 07:10:43 -0500 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1p5n4R-0005vt-Vb for emacs-orgmode@gnu.org; Thu, 15 Dec 2022 13:10:39 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: Re: [PATCH] ob-core: add org-confirm-babel-evaluate-cell custom variable Date: Thu, 15 Dec 2022 19:10:33 +0700 Message-ID: References: <87359ld5ye.fsf@kyleam.com> <874ju0j538.fsf@localhost> <87len9uj5s.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 Content-Language: en-US In-Reply-To: <87len9uj5s.fsf@localhost> Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 26 X-Spam_score: 2.6 X-Spam_bar: ++ X-Spam_report: (2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1671106291; a=rsa-sha256; cv=none; b=s7ikR1DExFGr38is+Q3ne5nprSRzLGgJF7G3LY5KFfwtHf1aoAD1w+WFn4ghpHB5UWaaBO IKy07PclgpEOeKd+5M2aYBomUCY5dK1cd8DXlW/YQWfNGoqbKPEOy7dew9CCh09RckwODj zWYgZOddnWEo/MWA8z9CLg7Lz6EW72olyQis8UIdbQme0ResrqNcrMQC42ERcLx3cUz4Jn xiV/cyFZNss6IjK+D6MIIJwxpZA9C9+YkP4iXYVBUcp4IbrpHWyGujfPW4Dbh7ApBo1X7K 3gjQq4apqT8ckv7xclpEqrNa1jo/qeljhO6DF7wuarhyO/XwXEKBuQ8gceoYvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1671106291; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Hkd07YrydG+B7mXAOybOwWzUvBJnRWf1VYD4ed3Fgbg=; b=fy+x3xp3j/BEVAG9Ql4hKYn+r6BxZdKdzv0Vm3IYb9J7Om5poGfqDbUalAjI/o/JFqb7tw 0CM6IcZizSDb56X5IPRUQY0M3nR1bgnV9P3v8HihNuucT1oFLWdljcYE3RvVVdCOwii4iK 5LoU4v/i3lhB6U+5yFu5xps5HmbbBys3AdjOPVu1Y/2ILaw61t7efZj5glhLe5bHRLb8Mb B2rbpb0zQXWKrvLbi6H371cngjL7Z4Dbtx54ylL1hIrqfUvzbNIrnJ1iSWylnhyzRfDwED DXLaQrY6naHeDIfkALbnDi8chO7Tu25Yuw0saMu+aOWxz9Acusr1BrTy+ubSwA== X-Migadu-Spam-Score: 1.92 X-Spam-Score: 1.92 X-Migadu-Queue-Id: C22DFA3A3 Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) X-Migadu-Scanner: scn0.migadu.com X-TUID: 9+TnqbbZv87t On 15/12/2022 16:10, Ihor Radchenko wrote: > Max Nikulin writes: > >> I am still in doubts if >> >> 10e857d42 2022-10-28 11:09:50 +0800 Ihor Radchenko: org-babel-read: Obey >> `org-confirm-babel-evaluate' >> >> was an unambiguous improvement. Perhaps it just forces more users to set >> `org-confirm-babel-evaluate' to nil compromising their security to more >> severe degree. > > Should we then extend `org-babel-check-evaluate' to accept "All" answer > in the coming bugfix release? I would consider reverting the commit causing user prompt for every variable. I believe, there should be single prompt on attempt to execute a source block. I admit it is not easy to implement. Main purpose of the new patch is to allow old behavior. Unfortunately it adds more complexity to logic around user prompts and classifying some expressions as safe. I am not comfortable with attempts to consider Org as a format for web browser similar to HTML: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=58774 Features great for personal notebooks and authoring of documents are disaster for documents from non-trusted sources. In particular, I consider the following reaction as unreasonably optimistic. I am afraid, a lot of work is required to achieve such goal. https://list.orgmode.org/Y1uFDWOjZb85lk+3@protected.localdomain Re: [BUG][Security] begin_src :var evaluated before the prompt to confirm execution On 28/10/2022 14:30, Jean Louis wrote: > * Ihor Radchenko [2022-10-28 06:19]: >> Jean Louis writes: >>> * Max Nikulin [2022-10-27 06:21]: >>>> Expected result: >>>> No code from the Org buffer and linked files is executed prior to >>>> confirmation from the user. >>> >>> Should that be or is it a general policy for Org mode? >> >> Yes, it is a general policy. >> Org should not execute arbitrary Elisp without confirmation, unless the >> user customizes the confirmation query to non-default. > > That is nice to know. It opens doors for browsing Org files within Emacs. On 15/12/2022 16:10, Ihor Radchenko wrote: > In future release, we may go for more powerful prompt as discussed in > https://orgmode.org/list/8735cyxonl.fsf@localhost Single prompt for whole bunch of code related to particular block was not discussed in that thread, that time the issue was not as sever as now. By the way, is it reliable to use (buffer-file-name (buffer-base-buffer)) in `org-confirm-babel-evaluate' to determine if some file resides in a "safe" directory? It may be discussed in that thread. I believe that :var code is equally dangerous to the source block body. However while nobody pushes Org as a web browser format, it is better to implement a transparent and consistent approach to prevention of non-trusted code execution.