GNU bug report logs - #48676
Arbitrary code execution in Org export macros

Previous Next

Packages: org-mode, emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Wed, 26 May 2021 15:53:01 UTC

Severity: important

Tags: security

Found in version 28.0.50

Full log

View this message in rfc822 format

From: Ihor Radchenko <yantar92 <at> posteo.net>
To: Stefan Kangas <stefankangas <at> gmail.com>
Cc: Glenn Morris <rgm <at> gnu.org>, 48676 <at> debbugs.gnu.org
Subject: bug#48676: Arbitrary code execution in Org export macros
Date: Sat, 15 Mar 2025 17:36:20 +0000

Stefan Kangas <stefankangas <at> gmail.com> writes:

>> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
>> Hello. {{{hello}}}
>>
>> Then:
>> M-x org-export-dispatch
>> t A
>>
>> -> now /tmp/HELLO exist, with no prompting.
>>
>> This seems contrary to normal Emacs practice for risky local variables,
>> and to the section "Code Evaluation and Security Issues" in the Org manual
>> (which does not mention macros).
>
> Ihor, could you please look into this bug?

This is a known problem.
I do not see it as a bug (user needs to execute a command), but indeed
code evaluation control should eventually be improved. It should just be
designed properly.

See more discussion in https://list.orgmode.org/orgmode/87edsd5o89.fsf <at> localhost/

-- 
Ihor Radchenko // yantar92,
Org mode maintainer,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

This bug report was last modified 147 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #48676 Arbitrary code execution in Org export macros

GNU bug report logs - #48676
Arbitrary code execution in Org export macros