GNU bug report logs - #68687
[PATCH] Use text/org media type

Previous Next

Package: emacs;

Reported by: Max Nikulin <manikulin <at> gmail.com>

Date: Wed, 24 Jan 2024 14:45:01 UTC

Severity: wishlist

Tags: patch

Full log

Message #52 received at 68687 <at> debbugs.gnu.org (full text, mbox):

From: Mike Kupfer <kupfer <at> rawbw.com>
To: Ihor Radchenko <yantar92 <at> posteo.net>
Cc: rms <at> gnu.org, 68687 <at> debbugs.gnu.org, emacs-orgmode <at> gnu.org,
 stefankangas <at> gmail.com, Eli Zaretskii <eliz <at> gnu.org>, manikulin <at> gmail.com
Subject: Org mode code evaluation (was: bug#68687: [PATCH] Use text/org media
 type)
Date: Tue, 30 Jan 2024 09:12:49 -0800

Ihor Radchenko wrote:

> Max is referring to various security issues with evaluating code inside
> Org mode buffers. They are known, but not relevant to Org text being
> displayed in email MUA - Org never evaluates any code automatically
> without user explicitly asking for it. And in MUA, Org mode is simply
> used to apply faces. No other interaction with the displayed text/org
> mime part is allowed.

I can believe that Org text snippets are safe in an email MUA.  

But in the general case, I don't think Org mode is quite as safe as you
implied.  The last I heard, conversion from Org mode to another format
(e.g., plain text or HTML) can result in code evaluation, without the
user authorizing it (see
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=48676).  I would not
expect random users to understand that format conversion is a
potentially risky operation.

mike
This bug report was last modified 1 year and 134 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.