Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly

[Max Nikulin]

On 26/10/2022 15:21, Jean Louis wrote:
> (defun browse-safe-url (url &optional arg)
----------------^^^^

>    "Browse URL with b"
>    (let ((username "joedoe")) ;; different username than my own
>      ;; Insecurity settings for personal DISPLAY only
>      (shell-command "xhost +")
>      ;; Browse URL with different username
>      (async-start-process "sudo" "sudo" nil "su" "-c" "--" username "-c"
>                          (format "exec iceweasel \"%s\"" url))))
-------------------------------------------------^^^^^^

Do not name "safe" a function having security vulnerabilities. Leaving 
aside XAuth issues, it allows arbitrary command execution if URL for 
some reason is not properly percent-encoded.

Do you think your reasoning related to security is still convincing?

If you were just requested mapping of Content-Type to some mode in eww, 
perhaps it would pass. You demanded Org mode configured by default. Org 
have enough means to execute arbitrary code with minimal efforts from 
user side. E.g. value of table cell may be recalculated.

Org files originating from non-trusted sources must be carefully 
evaluated before opening them in Emacs.

Sometimes Org developer and maintainers do not have enough resources to 
react to security-related reports. An issue not so dangerous in the 
current state becomes really weird if Org mode becomes a default handler 
for files fetched from net.

You may fight for your right to freely shoot your legs but you must be 
careful enough to not injury people around. Reputation of Emacs may be 
significantly affected by the requested change.

I am strongly against Org mode as a default handler for files downloaded 
from web sites. Eww user option, if implemented, should have prominent 
warning that particular mode may not be ready for such usage and each 
case should be carefully evaluated for security issues.