emacs-orgmode
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts on the standardization of Org


From: Jean Louis
Subject: Re: Thoughts on the standardization of Org
Date: Mon, 9 Nov 2020 18:59:17 +0300
User-agent: Mutt/2.0 (3d08634) (2020-11-07)

* Maxim Nikulin <manikulin@gmail.com> [2020-11-09 17:06]:
> 2020-11-08 Jean Louis wrote:
> > That is right, I am using it since years in ~/.mailcap that works well
> > for mutt email client.
> > 
> > text/org;   emacsclient %s; nametemplate=%s.org;
> > text/x-org; emacsclient %s; nametemplate=%s.org;
> 
> Just for curiosity, couldn't it lead to execution of arbitrary code
> placed into elisp table expressions, some macro, etc.?

The file name is created on the fly like temporarily file name. Email
does not carry file name.

But it is true that file names can be used maliciously. Only not in
the case when I am opening Org file from Mutt email client or others.

But if I would be opening Org file with some malicious file name from
other software, I guess there could be problems. Quoting '%s' is
recommended. Mailcap has security issues just as file system has.

When file is opened there is Org file. There is no automatic execution
unless user has set his system to maybe automatically execute stuff.

> I have not convinced myself that just opening of a file (without
> executing of src blocks) is safe enough and there no dangerous
> #+startup options or other tricks.

That is why on GNU/Linux and BSD systems and other systems we have
login with username and passwords and locking screensavers. Those are
for use. Computers should be protected from malicious access.

By all means you are right to be cautious with Emacs that executes
here and there all kinds of things.

For the same reason one shall be cautious of any packages coming from
various popular package repositories as such are not verified for
safety issues.

For any Emacs package never allow local file variables to be executed
unless you are sure what you are doing. Just say no if unsure.

For any package offered by some not common communication line, such as
XMPP chat, or IRC like "Hey there, look what this theme does", do not
trust without being very sure that package is verified or at least
downloaded by many people without complaints.

Any programming language is unsecure if people just execute programs
without verifying background of such programs, people behind it and
fact if many users appreciate programs.

When receiving Org file by email you should know who is person behind
it.

Only Org files I am receiving currently is from Sacha Chua, the Emacs
News as I am subscribed to it. You may subscribe too:
https://sachachua.com/blog/#text-3

-- 
Thanks,
Jean Louis
⎔ λ 🄯 𝍄 𝌡 𝌚



reply via email to

[Prev in Thread] Current Thread [Next in Thread]