GNU bug report logs - #48676
Arbitrary code execution in Org export macros

Previous Next

Packages: org-mode, emacs;

Reported by: Glenn Morris <rgm <at> gnu.org>

Date: Wed, 26 May 2021 15:53:01 UTC

Severity: important

Tags: security

Found in version 28.0.50

Full log

View this message in rfc822 format

From: Tom Gillespie <tgbugs <at> gmail.com>
To: Timothy <tecosaur <at> gmail.com>
Cc: rgm <at> gnu.org, 48676 <at> debbugs.gnu.org
Subject: bug#48676: Arbitrary code execution in Org export macros
Date: Wed, 26 May 2021 11:00:09 -0700

Hi Glenn,
     The definition for local variables doesn't cover things like org
macros, though the spirit of the policy is something worth keeping in
mind. Running M-x org-export-dispatch and hitting two keys means that
the user has to do something to trigger code execution, much like they
would have to intentionally accept certain risky local variables.

That said, the fact that many org operations can run arbitrary code is
definitely something that needs clearer documentation. It might make
sense to add a setting to detect closures that appear in org files to
ask for permission before running, but it likely should not be on by
default.

For a fairly extensive discussion of code execution in org see this
thread from Nov 2020.
https://orgmode.org/list/robi94$ma$1 <at> ciao.gmane.io/#t
Best,
Tom
This bug report was last modified 118 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.