GNU bug report logs - #48676
Arbitrary code execution in Org export macros

Previous Next

Packages: org-mode, emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Wed, 26 May 2021 15:53:01 UTC

Severity: important

Tags: security

Found in version 28.0.50

Full log

View this message in rfc822 format

From: Greg Minshall <minshall <at> umich.edu>
To: Glenn Morris <rgm <at> gnu.org>
Cc: 48676 <at> debbugs.gnu.org
Subject: bug#48676: Arbitrary code execution in Org export macros
Date: Thu, 27 May 2021 05:54:04 +0300

Glenn,

thanks for the report.

i guess my take is that macro-evaluation, and that of other forms,
should be subject to the same restrictions as that of source block
evaluation.  i.e., prompting for permission to execute, subject to
=org-confirm-babel-evaluate= (or, more specific variables).

cheers, Greg

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
> 
> emacs -Q hello.org, where hello.org contains:
> 
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
> 
> Then:
> M-x org-export-dispatch
> t A
> 
> -> now /tmp/HELLO exist, with no prompting.
> 
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).

This bug report was last modified 126 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #48676 Arbitrary code execution in Org export macros

GNU bug report logs - #48676
Arbitrary code execution in Org export macros