From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: "Dr. Arne Babenhauserheide" Newsgroups: gmane.emacs.orgmode,gmane.emacs.bugs Subject: Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly Date: Tue, 25 Oct 2022 23:54:46 +0200 Message-ID: <87r0yvsgtt.fsf@web.de> References: <86bkq0qf8p.fsf@protected.rcdrun.com> <87bkq0t03l.fsf@web.de> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10122"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.8.9; emacs 28.1 Cc: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org To: Jean Louis Original-X-From: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane-mx.org@gnu.org Wed Oct 26 00:04:11 2022 Return-path: Envelope-to: geo-emacs-orgmode@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1onS1q-0002MZ-RS for geo-emacs-orgmode@m.gmane-mx.org; Wed, 26 Oct 2022 00:04:10 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1onS0J-0002w7-Kx; Tue, 25 Oct 2022 18:02:36 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onS0H-0002pK-LL; Tue, 25 Oct 2022 18:02:33 -0400 Original-Received: from mout.web.de ([217.72.192.78]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onS0F-0004Pe-CY; Tue, 25 Oct 2022 18:02:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=s29768273; t=1666735315; bh=zHFgKp6nr/PSVarwXvFgCdtLAesTNO6Q95JOvrYfljg=; h=X-UI-Sender-Class:References:From:To:Cc:Subject:Date:In-reply-to; b=J8iiBRtqdl38IhgYO2XLt77Mcyb8tLvHCXIQIJuapQpHDlAx4JFdt3UQH3HAkyi4m TNeUiMRs82OXDD2L5gmrabpC5nqnHulhbawlTOWz5QpCfhOBffDeKlJuFMoWqZkCt0 XNsIRX2gQBJEiHENkksZosSjD1APlWQ9oUq/WOyVD8tEIy9LLFHTMNvRBdDQEDqkF6 USf5tB5ksX6FGrrhfqJk/HXSKl3PWxKVXzZOi/tUib7YQHyJHFOMR5mh9n5Y4Rkypj 0PfKSsvqmkyOdKz8r/Efhog0ElSRH0qFULFmAwME8gKT7K/cKsKSXtI+NMmRPo1EoG LW61SmPKVo3yA== X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6 Original-Received: from fluss ([84.165.20.127]) by smtp.web.de (mrweb105 [213.165.67.124]) with ESMTPSA (Nemesis) id 1MC0PP-1ovRp13vtF-00CExz; Wed, 26 Oct 2022 00:01:54 +0200 In-reply-to: X-Provags-ID: V03:K1:/Q5o4oLRr6wDbQOjc6XwGIVnhMJvVLAyyIpCMeM3vT+YSHLFVZv AZ6XV0S4+KKuCJY7hJ+RJzct8Q/57gEFbKfWSBLflRy8a/2gs9T3LoaS+2FR7tTM0dB9GXN 9ly4FN2Njs8tSvhMRJMT2Xqr3DAoqO/Faf4LYGtx1RHs8tTucKUmgv7L9nGHgREUy/y54xm S+gjeS7fI8wyhQ4dWxObw== UI-OutboundReport: notjunk:1;M01:P0:eBZBvbsRLAA=;xR8aLl9Pf48CdOy47DLlxeMMHe/ wc4jyFOKXrkotP0wVzmLOW+u/KE3xq5fLw40IkXM+VNiMGd/pInLb8EBxRDjy1vwfPQqQh5Mm eLUJk5CO2X30gcUcG3wP7RDZO+hmJ8rjRd6JJKbfnlibhf9c/KS9tFN0ZZx7iuX/pLYpbG6l+ chKxhag6mmJBpSKqRMDzzMH/WadfUmYa2yeTeA5ukWsz/Mw6PZ70AL/k16JnTKp4bGj6HdiPa dApUA6S36/V1uepwX2WFPXOt3TpK4iHsiX4HHEio1YjD2cTsUElomDlElpQkGsQU/mFFTieVZ gBYL13tDg3qTfKI5J9mw6Rm/sIZsiZzuiGKjjTg4J4Sg1kg7zcBv0FqMxtzt8x/+eV1cpX9BI gB63E0oo61uC7XDuP/IOTsJzl9BuSsWRG5oKxg0MvAx0xZqHrzunSAVZ3Q/9jApdhQ5S45fr0 zVMVIx3Sa3Abb4evFoibTZ63BImelNxRHA0/UTNi7Qu9Z8cJTPDHHFnZMmRchtd3qvhKrU28q OiTNY/QOudoZHmEJKUVtDi88mmWExzR1HfySbQJk8TA5JSDDUPOxTn7yiix96NXNOBH8alhUS xaI2h2wNvUvo9Ebpx2Q4tLyu4TptB56KLdXw/2XlZzJo/ydfyIZczDJ8o1xNzABIhG+OblkXE R6P1JaD2lwi0b9t+OdzrFb+2ge5ehJ/GZtEV6CsYWCZPaDCaruuOsirZx7+wOG0zp2A5znKpo 4k5wDhGKgURezmCxBk4KrUSk5E3VECz0nQWK+z37A62VmtBIkb81Em7xrMUUXNzfzSq8XtHf Received-SPF: pass client-ip=217.72.192.78; envelope-from=arne_bab@web.de; helo=mout.web.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: "Emacs-orgmode" Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.orgmode:149885 gmane.emacs.bugs:246177 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Jean Louis writes: > * Dr. Arne Babenhauserheide [2022-10-25 18:06]: >> > This wish request is related to Emacs EWW and Org mode. >> > >> > Please make EWW recognize Org file when served by WWW server. Currently >> > it does not recognize the MIME type text/x-org and opens the file as >> > text, it does not invoke the org mode. In my opinion, it should. >>=20 >> This sounds dangerous. Org mode can execute untrusted code, so this >> could trick people into running untrusted code with the permissions of >> their Emacs. > > I can always do that in Emacs, execute untrusted code. There are no > trust mechanisms for plethora of Emacs packages and codes distributed > over Internet.=20 All of the Emacs packages have some amount of implicit trust. Even melpa carefully vets packages nowadays. That=E2=80=99s not the case for some webs= ite you visit. > That was not my request. > > Do you know how to make this work? If you ask me whether I can make this work safely: This would first require the introduction of a safe-org-mode which strictly disables all features that can execute remote code or disguise unsafe operations as safe ones. If a user then decides to explicitly call M-x org-mode, that=E2=80=99s their problem. If you ask me whether I know how to make this work unsafely: It likely won=E2=80=99t need a lot of elisp reading, but I do not, because I do not l= ook for it, because if I did, I would not. I do not want to be the one who caused the systems of eww users to get breached, or who helped opening that security hole. Best wishes, Arne =2D-=20 Unpolitisch sein hei=C3=9Ft politisch sein, ohne es zu merken. draketo.de --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmNYXNEQHGFybmVfYmFi QHdlYi5kZQAKCRAT741FJAPD6/u/EACdvzRwgIGAlxjp/6z1BteRyDu3JNYFiWSO 47xDts/npJGk9AVZbHijGPkfSGoteSAOW8VftLmJW/ie4MoiQMiJlnHgDA5QUFn4 juQ3IIw2qgEvirqwmYkNs37IEP3vI+7b4DybPveqZ/Qi47cG2MAqKrXZOwi67t39 ywAdGhqoRuMtPoX04WjvM2E+WzF0D1bCvhp8NddD1LbHuj8PqS/GdDMEAvfF0SH2 szc3I5XpqZNoigwQKtBGQz0pRmmKoHuLBXQDJ5cTIjKy53q8qxj0/QjS3YbiiNtq WmastEomWcehTBVlxBATGHgr99VrsnSa95UekAZ3EeQidGlYpBVSTyc4wbgHV0vl B1aDdH+oN7c0KaCw2538peOO08oZ2A1bOvLGMlN5SZzbn8fddXmj4Ay5pj8Jxt8D 2jPc/loHncK4YQYvPJDCnhRnaoUuFUNbjPrZPOHlotD+EFl+PEP9NzbHJHD9ow8H VraAOO+uCk8PdUB1/CvUNbmug59wIvN3VcA/Z/7SvkJgThYHoXFO6Rq1Ll+V+vpz BBiDEic9B6Uuej7CrczKa72mCWIzKrMFUNpc9XxMSp5V03MczB6U+GTYStULNTmo Ex1z8e9iqZkGzwRaMKvZw7o4vUAxkJ4FhOZ0v9DBUpLv86WWpTW7Mkpt7s+P0UMN /kLX9XMNaYjEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmNYXNIQHGFy bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSL4qA/9z13IKgin31gnpx0AGJblvnxSp wO6FNOk1tsAWSfzW9mPaZfsj9b+yITLuLC35Drk5XoeTtZEvTyjYEQNlGgEktB1y kz0y4UJIE73EDwTpBn6JIM+fBBLjHaug3xzGfADJjAprujG2Lls7joKC4c01MJqZ 14evq4sxA2HjAfzgag== =Ye5I -----END PGP SIGNATURE----- --=-=-=--