emacs-orgmode
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug#48676: Arbitrary code execution in Org export macros


From: Tom Gillespie
Subject: Re: bug#48676: Arbitrary code execution in Org export macros
Date: Wed, 26 May 2021 11:00:09 -0700

Hi Glenn,
     The definition for local variables doesn't cover things like org
macros, though the spirit of the policy is something worth keeping in
mind. Running M-x org-export-dispatch and hitting two keys means that
the user has to do something to trigger code execution, much like they
would have to intentionally accept certain risky local variables.

That said, the fact that many org operations can run arbitrary code is
definitely something that needs clearer documentation. It might make
sense to add a setting to detect closures that appear in org files to
ask for permission before running, but it likely should not be on by
default.

For a fairly extensive discussion of code execution in org see this
thread from Nov 2020.
https://orgmode.org/list/robi94$ma$1@ciao.gmane.io/#t
Best,
Tom



reply via email to

[Prev in Thread] Current Thread [Next in Thread]