[BUG][Security] begin_src :var evaluated before the prompt to confirm execution

[Max Nikulin]

Hi,

At first I am apologizing. I believed that a dedicated report raising 
this issue was posted to this mailing list by somebody. I can not find 
such message and in my notes the heading is linked to a quite general 
discussion related to source blocks.

Consider the following source block

---- >8 ----
#+begin_src elisp :var a=(message "%s" "pwnd")
  a
#+end_src
---- 8< ----

Open the "*Messages*" buffer (C-h e) and try to evaluate the source 
block (C-c C-c).

Actual result:
"pwnd" message appears in "*Messages*" simultaneously with user prompt 
whether the code should be executed.

Expected result:
No code from the Org buffer and linked files is executed prior to 
confirmation from the user.

Emacs-26.3, Org version is current main HEAD:

6bbd08f5a 2022-10-26 15:15:42 +0800 Ihor Radchenko: 
org-datetree-insert-line: Fix blank line insertion

I consider such issues as a reason why it is bad idea to use Emacs as a 
handler for Org files downloaded from web. Such files should be 
inspected in some viewer unable to execute embedded code at first. A 
strong reason should be necessary to call Emacs for a file from 
non-trusted source.

I never considered this issue as a really urgent one because a user 
should at least hit C-c C-c to activate malicious code. It has similar 
severity as refreshing table cell formulas that would be almost unusable 
if protected by user prompt.

To be honest, this is the only real issue I have noticed since people on 
this list tried to convince me 2 years ago that Org is quite safe in 
respect to unsolicited execution of embedded code.