From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Glenn Morris <rgm@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#48676: Arbitrary code execution in Org export macros
Date: Wed, 26 May 2021 11:52:04 -0400
Message-ID: <2nk0nl7asb.fsf@fencepost.gnu.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="24426"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
To: 48676@debbugs.gnu.org
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed May 26 17:53:18 2021
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1llvqQ-0006Ct-G1
	for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 May 2021 17:53:18 +0200
Original-Received: from localhost ([::1]:50684 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1llvqP-0003C4-Au
	for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 May 2021 11:53:17 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58596)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1llvqA-0003Bh-Fm; Wed, 26 May 2021 11:53:02 -0400
Original-Received: from debbugs.gnu.org ([209.51.188.43]:38215)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1llvqA-00046v-7W; Wed, 26 May 2021 11:53:02 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1llvqA-0001yb-6i; Wed, 26 May 2021 11:53:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Glenn Morris <rgm@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org
Resent-Date: Wed, 26 May 2021 15:53:01 +0000
Resent-Message-ID: <handler.48676.B.16220443347525@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 48676
X-GNU-PR-Package: emacs,org-mode
X-GNU-PR-Keywords: security
X-Debbugs-Original-To: submit@debbugs.gnu.org
Original-Received: via spool by submit@debbugs.gnu.org id=B.16220443347525
 (code B ref -1); Wed, 26 May 2021 15:53:01 +0000
Original-Received: (at submit) by debbugs.gnu.org; 26 May 2021 15:52:14 +0000
Original-Received: from localhost ([127.0.0.1]:49761 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1llvpO-0001xI-0e
 for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:14 -0400
Original-Received: from eggs.gnu.org ([209.51.188.92]:36614)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rgm@gnu.org>) id 1llvpM-0001x5-2Q
 for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:12 -0400
Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:37996)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <rgm@gnu.org>) id 1llvpG-0003g6-QR
 for submit@debbugs.gnu.org; Wed, 26 May 2021 11:52:06 -0400
Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.90_1)
 (envelope-from <rgm@gnu.org>)
 id 1llvpE-0007OY-SY; Wed, 26 May 2021 11:52:05 -0400
X-Spook: Ruby Ridge Snow Intiso Minox JPL BND BMDO Beltran-Leyva
X-Ran: AEID5HY`jU\**5u#\,;a=Md@p)X[{jh1|>Dh9Gmj4A8F`=]fNlt%R?eV0nq6_]-IWnFQ-O
X-Hue: black
X-Attribution: GM
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "bug-gnu-emacs"
 <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.bugs:207299
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/207299>

Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security

emacs -Q hello.org, where hello.org contains:

#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
Hello. {{{hello}}}

Then:
M-x org-export-dispatch
t A

-> now /tmp/HELLO exist, with no prompting.

This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the Org manual
(which does not mention macros).