bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

[Jean Louis]

How to reproduce:

- make email with the text containing Local-variables as below.

-------------------- text begin below-----------------------
* Eric S Fraga <e.fraga@ucl.ac.uk> [2020-11-24 12:46]:
> On Tuesday, 24 Nov 2020 at 12:00, Jean Louis wrote:
> > Can I automated the execution of Babel code upon opening of the Org
> > file?
> 
> You can, by using file local variables.  For instance, for some files, I
> do this:
> 
> #+begin_src org
>   ,* local variables                         :noexport:
>   # Local Variables:
>   # eval: (org-sbe "startup")
>   # End:
> #+end_src
> 
> which will evaluate the named src block "startup" when file is opened.
> 
> Note that this is a potential security hole so only do this for files
> you trust!

For me is fine, as I do that for files I create.

When I have opened this email i was also asked to set local variables,
imagine. So that could maybe also mean that one could send email that
is constructed as Org file and if user answers YES, one could inject
malicious stuff.

--------------- the text above -------------------
still asks me if I like to allow eval: (org-sbe "startup")

So I think this is bug in Emacs as Local-variables should be on the
end of the file.

I am asked when editing such email to execute those local variables
above quoted even though they are not on the end of the file. I think
this is security issue as described above in the same file. People
could spam other users, include some local variables and those
answering with Emacs could send them their email addresses, or
passwods or other private information, it could also invoke various
modes like Org mode and execute various scripts.

-- 
Thanks,
Jean Louis
⎔ λ 🄯 𝍄 𝌡 𝌚

bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

[Jean Louis]

I am proposing following changes to the dialogue with unsafe
variables:

- to include on minibuffer the option ? to READ MANUAL and lead user
  to the section 49.2.4.2 Safety of File Variables where there are
  dangerous to data cited

- to make the dialogue window with cursor rather than without any
  cursor how it is now, so that user can click on buttons pointing to
  the above manual page

- to designate some parts as shown below to be buttons to the manual
  page clickable both from console and from X Emacs

- to give user option to permanently mark specific file or directory
  variables as unsafe and not to be asked again to accept them over
  and over again as that makes unfair choice to user

- if user clicks ? or C-g or tries to escape or anything else but Y or
  !, then the dialogue should fail and file get loaded just as
  usual. Upon the next opening of the file everything should go as
  usual.

- to add section in the tutorial that references that variables should
  not be opened as nothing about these issues is written in the
  tutorial. One could say that before accepting any variables user
  shall read the manual section 49.2.4.2 Safety of File Variables, and
  until full understanding is achieved user is advised not to accept
  such variables.

From the current template:
==========================

The local variables list in /home/data1/protected/x
contains values that may not be safe (*).

Do you want to apply it?  You can type
y  -- to apply the local variables list.
n  -- to ignore the local variables list.
!  -- to apply the local variables list, and permanently mark these
      values (*) as safe (in the future, they will be set automatically.)

  * eval : (when (and (buffer-file-name) (not (file-directory-p (.......

Proposed hyperlinks to manual page:
===================================

The local variables list in /home/data1/protected/x
    ^^^^^^^^^^^^^^^
contains values that may not be safe (*).
         ^^^^^^      ^^^^^^^^^^^^^^^^^^^
Do you want to apply it?  You can type
y  -- to apply the local variables list.
         ^^^^^^^^^^^^^^^^^^^^^^^^^
n  -- to ignore the local variables list.
!  -- to apply the local variables list, and permanently mark these
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      values (*) as safe (in the future, they will be set automatically.)

  * eval : (when (and (buffer-file-name) (not (file-directory-p (.......
    ^^^^^^

- to give to user option to permanently NOT mark these values to be
  accepted, as the choice above is inclined to accept variables and it
  makes users error prone to accept unsafe variables, but it does not
  give option to permanently mark those as unsafe.

  This is more important for dir local variables where user may be
  asked many times to accept variables.

  Being asked 20 times will make user finally permanently accept
  variables.

  But user has no visible way to permanently ignore those variables.

- safety for millions of users who do not use Emacs Lisp or who may
  not be programmers.



Reasons:
========

- Emacs assumes wrongly that millions of users will know the meanings
  of "variable", "value", "apply" variable, "eval" and "safe",
  including the meanings of all of the Emacs Lisp that may be shown
  after eval: line and that seem not to be user friendly

- to follow the principle of being self-documenting one shall give
  hyperlinks or references to documentation, thus giving user the
  actual informed choice.

- right now user does not have informed choice and is coerced to
  permanently accept variables.

More references:

https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00609.html

https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00633.html

Here are references of confused users on Stack-something:
https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00655.html

https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00665.html

bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

[Lars Ingebrigtsen]

Jean Louis <bugs@gnu.support> writes:

> How to reproduce:
>
> - make email with the text containing Local-variables as below.

[...]

>> #+begin_src org
>>   ,* local variables                         :noexport:
>>   # Local Variables:
>>   # eval: (org-sbe "startup")
>>   # End:
>> #+end_src
>> 
>> which will evaluate the named src block "startup" when file is opened.

I'm unable to reproduce this bug.  How are you reading this mail?
rmail?  Gnus?  Something else?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

[Jean Louis]

* Lars Ingebrigtsen <larsi@gnus.org> [2020-11-26 14:15]:
> Jean Louis <bugs@gnu.support> writes:
> 
> > How to reproduce:
> >
> > - make email with the text containing Local-variables as below.
> 
> [...]
> 
> >> #+begin_src org
> >>   ,* local variables                         :noexport:
> >>   # Local Variables:
> >>   # eval: (org-sbe "startup")
> >>   # End:
> >> #+end_src
> >> 
> >> which will evaluate the named src block "startup" when file is opened.
> 
> I'm unable to reproduce this bug.  How are you reading this mail?
> rmail?  Gnus?  Something else?

By invoking emacsclient

That it is email is not relevant. I would like to say that focus shall
be on those follow up emails from me on how to improve the dialogue.

Did you get it?

bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

[Lars Ingebrigtsen]

Jean Louis <bugs@gnu.support> writes:

>> I'm unable to reproduce this bug.  How are you reading this mail?
>> rmail?  Gnus?  Something else?
>
> By invoking emacsclient
>
> That it is email is not relevant. I would like to say that focus shall
> be on those follow up emails from me on how to improve the dialogue.
>
> Did you get it?

Nope.  Having an Emacs client eval arbitrary code that it's receiving
would be a major security problem.  Loading local files is less of a
problem.

So if this has nothing to do with emails, that's nice.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

[Jean Louis]

* Lars Ingebrigtsen <larsi@gnus.org> [2020-11-26 15:55]:
> Jean Louis <bugs@gnu.support> writes:
> 
> >> I'm unable to reproduce this bug.  How are you reading this mail?
> >> rmail?  Gnus?  Something else?
> >
> > By invoking emacsclient
> >
> > That it is email is not relevant. I would like to say that focus shall
> > be on those follow up emails from me on how to improve the dialogue.
> >
> > Did you get it?
> 
> Nope.  Having an Emacs client eval arbitrary code that it's receiving
> would be a major security problem.  Loading local files is less of a
> problem.

Please see here:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=44837#8

> So if this has nothing to do with emails, that's nice.

I do not think that major problem is email but more fundamental in how
is that dialogue displayed.

When I read email with Mutt and use Emacs, then local variables want
to get executed.

My comments are on the above link as I forgot to include you and
assumed you would get email automatically.

Thank you,
Jean

bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

[Lars Ingebrigtsen]

Jean Louis <bugs@gnu.support> writes:

> When I read email with Mutt and use Emacs, then local variables want
> to get executed.

Just to ensure that I understand you -- this has nothing to do with
reading mail, has it?  It's about opening a file containing local
variables in Emacs from disk?  (I asked before, but the response was
ambiguous.)

(That you received the file via mail is pretty immaterial.)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed

[Lars Ingebrigtsen]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Just to ensure that I understand you -- this has nothing to do with
> reading mail, has it?  It's about opening a file containing local
> variables in Emacs from disk?  (I asked before, but the response was
> ambiguous.)
>
> (That you received the file via mail is pretty immaterial.)

Everything seems to be working as designed here -- Emacs will query you
about local variable stuff, and if you don't want that, then customize
`inhibit-local-variables-regexps' to ignore all the files.

So I'm closing this bug report.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no