|
From: | Max Nikulin |
Subject: | Re: [BUG][Security] begin_src :var evaluated before the prompt to confirm execution |
Date: | Fri, 28 Oct 2022 11:11:18 +0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 |
On 28/10/2022 10:19, Ihor Radchenko wrote:
Jean Louis writes:* Max Nikulin [2022-10-27 06:21]:Expected result: No code from the Org buffer and linked files is executed prior to confirmation from the user.Should that be or is it a general policy for Org mode?Yes, it is a general policy. Org should not execute arbitrary Elisp without confirmation, unless the user customizes the confirmation query to non-default.
There are significantly different contexts: trusted files created locally and arbitrary files fetched through some link in the web. Features really convenient in the former case may became a disaster in the latter.
If a user is prompted to confirm evaluation of each table formula then spreadsheet feature becomes unusable.
---- >8 ---- Enter value and press =TAB= | | Value | Result | |---+-------+--------| | # | | | #+tblfm: $3='(progn (message "%s" "pwnd") 0) ---- 8< ----I suspect a bunch of similar problems with export feature. The ability to save an .org file as a nicely formatted PDF is great but simultaneously dangerous for files obtained from the net. I would like to have safe export, but I am afraid that actually the code would be fragile.
[Prev in Thread] | Current Thread | [Next in Thread] |