From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Timothy Newsgroups: gmane.emacs.bugs Subject: bug#48676: Arbitrary code execution in Org export macros Date: Thu, 27 May 2021 01:07:27 +0800 Message-ID: <87mtsho240.fsf__20418.2959323347$1622054650$gmane$org@gmail.com> References: <2nk0nl7asb.fsf@fencepost.gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="18856"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.4.15; emacs 28.0.50 Cc: 48676@debbugs.gnu.org To: Glenn Morris Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed May 26 20:44:06 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1llyVi-0004nQ-6q for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 May 2021 20:44:06 +0200 Original-Received: from localhost ([::1]:33280 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llyVh-0003RQ-5e for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 May 2021 14:44:05 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:60042) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llyCJ-0006K4-Tk; Wed, 26 May 2021 14:24:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:38353) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1llyCJ-0003k8-2y; Wed, 26 May 2021 14:24:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1llyCJ-0008Dx-00; Wed, 26 May 2021 14:24:03 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Timothy Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Wed, 26 May 2021 18:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48676 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security X-Debbugs-Original-Cc: 48676@debbugs.gnu.org, emacs-orgmode@gnu.org Original-Received: via spool by 48676-submit@debbugs.gnu.org id=B48676.162205343231581 (code B ref 48676); Wed, 26 May 2021 18:24:02 +0000 Original-Received: (at 48676) by debbugs.gnu.org; 26 May 2021 18:23:52 +0000 Original-Received: from localhost ([127.0.0.1]:49897 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llyC7-0008DH-LM for submit@debbugs.gnu.org; Wed, 26 May 2021 14:23:52 -0400 Original-Received: from mail-pj1-f48.google.com ([209.85.216.48]:43601) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llx0L-00042k-I6 for 48676@debbugs.gnu.org; Wed, 26 May 2021 13:07:40 -0400 Original-Received: by mail-pj1-f48.google.com with SMTP id ep16-20020a17090ae650b029015d00f578a8so721070pjb.2 for <48676@debbugs.gnu.org>; Wed, 26 May 2021 10:07:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:in-reply-to:message-id :date:mime-version; bh=+VvLj+D+39pXou7UlH1yiTznCzqmGqMWezWI4DFfVHM=; b=aV1BoZAfPbvl31/K3dSQcUgA2kk1mlPYW0nMCxdO89VSUl8lxMlouwaqlXZvLSe/NH PX4rDYM/Jae0Qc5DW4hHCGgy1LZVtFX8hWb8FOLcm2Mh0kWl45bEc9Ft5NkDnzj2rEHo o+SX6k7H1v1t7JSTzlO4dhvL9eq5vTD1QfGFjR/Vl7qCHtwEnes3CSbZw29ckE+631Se +GuaK6cBxW9LaBYv3I3WOCqBmAaoW8UqV49f29p44ToWt+37KJKD+YWZgqRsEq+6oyk9 4GekQoKaCIDbR/TwqfMvlz4w5vEQHqTKnIoGrF/N1+/c12rfA9+ZSOuSeO1yX5afHR2M DUNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:message-id:date:mime-version; bh=+VvLj+D+39pXou7UlH1yiTznCzqmGqMWezWI4DFfVHM=; b=E3w1rHetHa+r9vagEImv5MjI6/Y3Pf0Nx5+AXB0sFjxXG7m4amCv5WPGFVU+xDCNm1 dMwNjYndVmHBktv/55U1JHzEHZ+YWhqHVDfCIPSWCkHJqPiccK98ozKmWPy0KeWkT1di 0XuLqmroC58YbvUxzHe+NkjFeE2Xm2w+TPBfT32Nbqul9fyMzmSzTrsQiudi3E8BsPR1 HnqUU0kDLKOsW9NcHlbWkrjZJEiL0jtlJGvO+oOL9E0T1Mywe5buwf41ZKB73UP2m2Ms HyeEvRoUerDYZGBpi4K9iiuamAWxv6DSDVZdapTE7luywty/4UrB7GUlRomUy+NKBO2D BUNg== X-Gm-Message-State: AOAM533tw1UsYBUfOP2+iGP3gTHFpWGkjq6vTVIuMvfwQfwE/Pwe1hF6 DPdsyqxr5dQZJChrSvLQYj0= X-Google-Smtp-Source: ABdhPJwKPEOMK86BSRORQ2HK8siD7Ef35IT85Y40tsV1sKkaWODJ9sCtoibvV6KRmZ1f3HEr1srNXw== X-Received: by 2002:a17:902:a586:b029:fe:459b:2ce0 with SMTP id az6-20020a170902a586b02900fe459b2ce0mr996265plb.40.1622048851677; Wed, 26 May 2021 10:07:31 -0700 (PDT) Original-Received: from localhost (180-150-91-8.b4965b.per.nbn.aussiebb.net. [180.150.91.8]) by smtp.gmail.com with ESMTPSA id r5sm4730962pjd.2.2021.05.26.10.07.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 May 2021 10:07:31 -0700 (PDT) In-reply-to: <2nk0nl7asb.fsf@fencepost.gnu.org> X-Mailman-Approved-At: Wed, 26 May 2021 14:23:50 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:207310 Archived-At: Thanks for reporting this. Glenn Morris writes: > This seems contrary to normal Emacs practice for risky local variables, Hmm, correct me if I'm wrong but the issue with risky local variables is that they affect Emacs before the user sees them in the file? If this is an important distinction, it means this particular type of concern does not apply to Org #+macro statements, as they are not executed when the user opens the file. That said, if one were making say an automated Org file exporter or something, I could see this being problematic. Perhaps a var set to allow macros by default could be a good idea. > and to the section "Code Evaluation and Security Issues" in the Org manual > (which does not mention macros). Looks like this should be updated regardless of the above. -- Timothy