GNU bug report logs - #48676
Arbitrary code execution in Org export macros

Previous Next

Packages: org-mode, emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Wed, 26 May 2021 15:53:01 UTC

Severity: important

Tags: security

Found in version 28.0.50

Full log

View this message in rfc822 format

From: Max Nikulin <manikulin <at> gmail.com>
To: Stefan Kangas <stefankangas <at> gmail.com>, Ihor Radchenko <yantar92 <at> posteo.net>
Cc: Glenn Morris <rgm <at> gnu.org>, 48676 <at> debbugs.gnu.org
Subject: bug#48676: Arbitrary code execution in Org export macros
Date: Sat, 8 Feb 2025 11:17:51 +0700

On 08/02/2025 05:11, Stefan Kangas wrote:
> Glenn Morris writes:
>> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
>> Hello. {{{hello}}}
>>
>> Then: M-x org-export-dispatch t A[...]> Ihor, could you please look into this bug?

Disclaimer: I am not Ihor.

In my opinion, it is an important, but not an urgent issue.

I do not see a way to unintentionally invoke export in default
configuration. It requires C-x C-e and a couple of extra keys
to select format. User can abort the process after accidental
starting export dispatcher. So this issue is less severe than
e.g. CVE-2024-53920 (indirectly related to bug#32495 completion
and bug#37656 flymake) when it is enough to open some file
to cause execution of embedded code.

I admit there are user configurations and some packages that
may add easy access binding e.g. to copy selection as HTML
or as MarkDown that run org-export under the hood.

Execution of code really may be surprising for novices,
but for experienced Org users it is a powerful feature.
I not mind that a warning related to macros may be added to
(info "(org) Code-Evaluation-Security")
and linked from (info "(org) Exporting") subsection
(info "(org) Macro-Replacement").

What may help to mitigate the issue is the recently introduced
`trusted-content' variable (that still may be renamed to
`macros-always-safe' or to something even more confusing).
Maybe more flexible settings should be implemented.
I expect, Glenn does not assume that `org-export'
should be affected by user options related to
(info "(emacs) File-Variables"),
and it was just an example of a similar approach.

There was an attempt to fix this kind of issues in Org.
Unfortunately a naive approach caused severe user inconvenience
and the changes were reverted. I am afraid, as a consequence,
some users even disabled existing protection related to `org-babel'.
I recall a discussion on the emacs-orgmode mailing list
how to manage degree of trust for specific Org mode documents.

I do not think it would harm to put eval macros behind
`trusted-content' when this variable is available,
but it would not be a complete fix. Org supports previous
Emacs releases.
This bug report was last modified 92 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.