emacs-orgmode
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#48676: Arbitrary code execution in Org export macros

From: Greg Minshall
Subject: bug#48676: Arbitrary code execution in Org export macros
Date: Thu, 27 May 2021 05:54:04 +0300 
Glenn,

thanks for the report.

i guess my take is that macro-evaluation, and that of other forms,
should be subject to the same restrictions as that of source block
evaluation.  i.e., prompting for permission to execute, subject to
=org-confirm-babel-evaluate= (or, more specific variables).

cheers, Greg

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
> 
> emacs -Q hello.org, where hello.org contains:
> 
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
> 
> Then:
> M-x org-export-dispatch
> t A
> 
> -> now /tmp/HELLO exist, with no prompting.
> 
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
reply via email to
[Prev in Thread] Current Thread [Next in Thread]