From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.bugs Subject: bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed Date: Tue, 24 Nov 2020 12:54:25 +0300 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36266"; mail-complaints-to="usenet@ciao.gmane.io" To: 44837@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Nov 24 10:56:12 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1khV3T-0009H9-35 for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 24 Nov 2020 10:56:11 +0100 Original-Received: from localhost ([::1]:36582 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khV3S-0006LC-4x for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 24 Nov 2020 04:56:10 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51766) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khV3K-0006J5-Av for bug-gnu-emacs@gnu.org; Tue, 24 Nov 2020 04:56:02 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]:46196) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1khV3K-0000CW-2t for bug-gnu-emacs@gnu.org; Tue, 24 Nov 2020 04:56:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1khV3K-0002Zh-0d for bug-gnu-emacs@gnu.org; Tue, 24 Nov 2020 04:56:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Jean Louis Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 24 Nov 2020 09:56:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 44837 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.16062117069821 (code B ref -1); Tue, 24 Nov 2020 09:56:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 24 Nov 2020 09:55:06 +0000 Original-Received: from localhost ([127.0.0.1]:57742 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1khV2P-0002YL-K6 for submit@debbugs.gnu.org; Tue, 24 Nov 2020 04:55:05 -0500 Original-Received: from lists.gnu.org ([209.51.188.17]:34150) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1khV2N-0002YB-NQ for submit@debbugs.gnu.org; Tue, 24 Nov 2020 04:55:04 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51468) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khV2N-0005Sm-EH for bug-gnu-emacs@gnu.org; Tue, 24 Nov 2020 04:55:03 -0500 Original-Received: from static.rcdrun.com ([95.85.24.50]:60947) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khV2L-0007zy-Kr for bug-gnu-emacs@gnu.org; Tue, 24 Nov 2020 04:55:02 -0500 Original-Received: from localhost ([::ffff:41.202.241.56]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C1AEA.000000005FBCD853.000073BD; Tue, 24 Nov 2020 09:54:27 +0000 Received-SPF: pass client-ip=95.85.24.50; envelope-from=support1@rcdrun.com; helo=static.rcdrun.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:194064 Archived-At: How to reproduce: - make email with the text containing Local-variables as below. -------------------- text begin below----------------------- * Eric S Fraga [2020-11-24 12:46]: > On Tuesday, 24 Nov 2020 at 12:00, Jean Louis wrote: > > Can I automated the execution of Babel code upon opening of the Org > > file? > > You can, by using file local variables. For instance, for some files, I > do this: > > #+begin_src org > ,* local variables :noexport: > # Local Variables: > # eval: (org-sbe "startup") > # End: > #+end_src > > which will evaluate the named src block "startup" when file is opened. > > Note that this is a potential security hole so only do this for files > you trust! For me is fine, as I do that for files I create. When I have opened this email i was also asked to set local variables, imagine. So that could maybe also mean that one could send email that is constructed as Org file and if user answers YES, one could inject malicious stuff. --------------- the text above ------------------- still asks me if I like to allow eval: (org-sbe "startup") So I think this is bug in Emacs as Local-variables should be on the end of the file. I am asked when editing such email to execute those local variables above quoted even though they are not on the end of the file. I think this is security issue as described above in the same file. People could spam other users, include some local variables and those answering with Emacs could send them their email addresses, or passwods or other private information, it could also invoke various modes like Org mode and execute various scripts. -- Thanks, Jean Louis ⎔ λ 🄯 𝍄 𝌡 𝌚