* bug#48676: Arbitrary code execution in Org export macros
2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
@ 2021-05-26 17:07 ` Timothy
[not found] ` <87mtsho240.fsf@gmail.com>
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Timothy @ 2021-05-26 17:07 UTC (permalink / raw)
To: Glenn Morris; +Cc: 48676
Thanks for reporting this.
Glenn Morris <rgm@gnu.org> writes:
> This seems contrary to normal Emacs practice for risky local variables,
Hmm, correct me if I'm wrong but the issue with risky local variables is
that they affect Emacs before the user sees them in the file? If this is
an important distinction, it means this particular type of concern does
not apply to Org #+macro statements, as they are not executed when the
user opens the file.
That said, if one were making say an automated Org file exporter or
something, I could see this being problematic. Perhaps a var set to
allow macros by default could be a good idea.
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
Looks like this should be updated regardless of the above.
--
Timothy
^ permalink raw reply [flat|nested] 6+ messages in thread[parent not found: <87mtsho240.fsf@gmail.com>]
* bug#48676: Arbitrary code execution in Org export macros
[not found] ` <87mtsho240.fsf@gmail.com>
@ 2021-05-26 18:00 ` Tom Gillespie
0 siblings, 0 replies; 6+ messages in thread
From: Tom Gillespie @ 2021-05-26 18:00 UTC (permalink / raw)
To: Timothy; +Cc: rgm, 48676
Hi Glenn,
The definition for local variables doesn't cover things like org
macros, though the spirit of the policy is something worth keeping in
mind. Running M-x org-export-dispatch and hitting two keys means that
the user has to do something to trigger code execution, much like they
would have to intentionally accept certain risky local variables.
That said, the fact that many org operations can run arbitrary code is
definitely something that needs clearer documentation. It might make
sense to add a setting to detect closures that appear in org files to
ask for permission before running, but it likely should not be on by
default.
For a fairly extensive discussion of code execution in org see this
thread from Nov 2020.
https://orgmode.org/list/robi94$ma$1@ciao.gmane.io/#t
Best,
Tom
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#48676: Arbitrary code execution in Org export macros
2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
2021-05-26 17:07 ` Timothy
[not found] ` <87mtsho240.fsf@gmail.com>
@ 2021-05-27 2:54 ` Greg Minshall
2021-05-27 7:02 ` Rafael Ramirez Morales
2022-06-21 0:37 ` Mike Kupfer
4 siblings, 0 replies; 6+ messages in thread
From: Greg Minshall @ 2021-05-27 2:54 UTC (permalink / raw)
To: Glenn Morris; +Cc: 48676
Glenn,
thanks for the report.
i guess my take is that macro-evaluation, and that of other forms,
should be subject to the same restrictions as that of source block
evaluation. i.e., prompting for permission to execute, subject to
=org-confirm-babel-evaluate= (or, more specific variables).
cheers, Greg
> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
^ permalink raw reply [flat|nested] 6+ messages in thread* bug#48676: Arbitrary code execution in Org export macros
2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
` (2 preceding siblings ...)
2021-05-27 2:54 ` Greg Minshall
@ 2021-05-27 7:02 ` Rafael Ramirez Morales
2022-06-21 0:37 ` Mike Kupfer
4 siblings, 0 replies; 6+ messages in thread
From: Rafael Ramirez Morales @ 2021-05-27 7:02 UTC (permalink / raw)
To: Glenn Morris; +Cc: 48676
[-- Attachment #1: Type: text/plain, Size: 750 bytes --]
Just a couple of questions:
who is the owner of the HELLO file?
OR
who is the owner of the "touch" process?
Is the owner the unprivileged user or the "emacs" system?
Thanks.
On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:
> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).
>
>
[-- Attachment #2: Type: text/html, Size: 1370 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread* bug#48676: Arbitrary code execution in Org export macros
2021-05-26 15:52 bug#48676: Arbitrary code execution in Org export macros Glenn Morris
` (3 preceding siblings ...)
2021-05-27 7:02 ` Rafael Ramirez Morales
@ 2022-06-21 0:37 ` Mike Kupfer
4 siblings, 0 replies; 6+ messages in thread
From: Mike Kupfer @ 2022-06-21 0:37 UTC (permalink / raw)
To: 48676
I just verified that this issue is still present in Emacs master
(4ae315f7c3).
mike
^ permalink raw reply [flat|nested] 6+ messages in thread