GNU bug report logs - #58774
29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly

Previous Next

Full log

Message #31 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jean Louis <bugs <at> gnu.support>
To: "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>
Cc: bug-gnu-emacs <at> gnu.org, emacs-orgmode <at> gnu.org
Subject: Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly
Date: Wed, 26 Oct 2022 10:57:16 +0300

* Dr. Arne Babenhauserheide <arne_bab <at> web.de> [2022-10-26 01:02]:
> All of the Emacs packages have some amount of implicit trust.

Users are unaware what package may do, and packages are everywhere on
Internet. That is not a problem that I wish to solve.

> If you ask me whether I can make this work safely: This would first
> require the introduction of a safe-org-mode which strictly disables all
> features that can execute remote code or disguise unsafe operations as
> safe ones. If a user then decides to explicitly call M-x org-mode,
> that’s their problem.

Thanks, though, that was not my request.

Please note that you miss very important issue, and that is that all
browsers support customization on how to open specific content types,
so it is quite trivial to customize in browser to open Common Lisp
program with Common Lisp. 

Thus all of browsers who allow content type customization are
analogous to problem you are presenting, which in fact is no practical
problem at all. 

Find the victim first, then present the problem.

To understand is that content type opening is generally not secure and
that it is user choice.

I am user of Org mode, and all I wish is to adapt eww to invoke
command "org-mode" once content type text/x-org has been recognized.

This way I can browse Org files directly, it is very useful for me as
I have bunch of files.

> If you ask me whether I know how to make this work unsafely: It likely
> won’t need a lot of elisp reading, but I do not, because I do not look
> for it, because if I did, I would not.

Well then 👀

> I do not want to be the one who caused the systems of eww users to get
> breached, or who helped opening that security hole.

See above, all other content types and URL links may be customized by
user to be opened how users want it. 

Your security presentation lacks the background knowledge.

See the attached screenshot how easy it was to customize IceWeasel or
Firefox derivate to open Org files by using Emacs client. I have
script called "edit" which invoces emacsclient.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.