[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bug#48676: Arbitrary code execution in Org export macros
|
From: |
Tim Cross |
|
Subject: |
Re: bug#48676: Arbitrary code execution in Org export macros |
|
Date: |
Thu, 27 May 2021 09:01:33 +1000 |
|
User-agent: |
mu4e 1.5.13; emacs 27.2.50 |
Glenn Morris <rgm@gnu.org> writes:
> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
I'm not quite sure if this is the same as the concern with risky local
file variables. The big difference is that with the local file
variables, without the default behaviour of asking for permission to
evaluate, the code would be evaluated simply by loading the file. With
the org file, nothing is evaluated when you load the file. The user has
to actively request for evaluation (via export or tangling).
I would agree the org manual should make it very clear that exporting
and tangling can result in macro evaluation, which could involve
evaluation of arbitrary code and the risks that can introduce.
--
Tim Cross