GNU bug report logs -
#48676
Arbitrary code execution in Org export macros
Previous Next
Full log
Message #9 received at 48676 <at> debbugs.gnu.org (full text, mbox):
Thanks for reporting this.
Glenn Morris <rgm <at> gnu.org> writes:
> This seems contrary to normal Emacs practice for risky local variables,
Hmm, correct me if I'm wrong but the issue with risky local variables is
that they affect Emacs before the user sees them in the file? If this is
an important distinction, it means this particular type of concern does
not apply to Org #+macro statements, as they are not executed when the
user opens the file.
That said, if one were making say an automated Org file exporter or
something, I could see this being problematic. Perhaps a var set to
allow macros by default could be a good idea.
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
Looks like this should be updated regardless of the above.
--
Timothy
This bug report was last modified 92 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.