GNU bug report logs - #58774
29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly

Previous Next

Package: emacs;

Reported by: Jean Louis <bugs <at> gnu.support>

Date: Tue, 25 Oct 2022 12:13:02 UTC

Severity: wishlist

Tags: wontfix

Found in version 29.0.50

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #63 received at 58774 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: Ihor Radchenko <yantar92 <at> posteo.net>
Cc: 58774 <at> debbugs.gnu.org, "Dr. Arne Babenhauserheide" <arne_bab <at> web.de>,
 emacs-orgmode <at> gnu.org, bugs <at> gnu.support
Subject: Re: bug#58774: 29.0.50;
 [WISH]: Let us make EWW browse WWW Org files correctly
Date: Wed, 26 Oct 2022 06:15:22 -0700

Ihor Radchenko <yantar92 <at> posteo.net> writes:

>> Note that with the suggested feature, any link you follow risks being
>> loaded in Org mode, before the user even has a chance to inspect the
>> file.  Which Org features, currently existing or introduced in the
>> future, would EWW have to add workarounds for?
>
> That's not the case. Org never loads arbitrary code on loading the file
> without querying the user.

We seem to be miscommunicating.  In the above, I was merely referring to
whether org-mode is run when visiting some URL or not, which AFAIU is a
binary thing (it either does, or it doesn't).

You seem to be talking about security features in org-mode itself, which
is related, but not the same thing.  I agree that there are various
security features in org-mode.  I still don't think that we should run
org-mode just because some URL requests it.

To reiterate what I said, security problems are hard to audit and
discover.  We shouldn't expose users to additional risks just to add
such a minor convenience feature.  It is not a good trade-off.

> Strictly speaking, even eww-mode may run arbitrary code given that user
> puts something into eww-mode-hook.

My concern is not that the users should run their own code, but that
they will inadvertently run (potentially malicious) code provided by
others.

> I'd say that it will be safer to take care about necessary precautions
> rather than leaving the user with the only option to run org-mode
> manually.

Adding a `safe-org-mode' would be an improvement, but orthogonal to
whether or not we should automatically load org-mode when visiting any
URL that presents itself as serving an org file.  I think we should not
do the latter.

> If necessary, we can introduce a special variable in Org mode that will
> disable all the potential third-party code evaluation, even if user has
> customized Org to execute code without prompt.

That would also be an improvement, yes.  It would be even better if such
a variable supported whitelisting, so that users could mark only
specific files as safe for these purposes.
This bug report was last modified 1 year and 259 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.