From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Ihor Radchenko Newsgroups: gmane.emacs.bugs Subject: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly Date: Wed, 26 Oct 2022 06:52:56 +0000 Message-ID: <87zgdjoz3r.fsf__43851.691081521$1666767274$gmane$org@localhost> References: <86bkq0qf8p.fsf@protected.rcdrun.com> <87bkq0t03l.fsf@web.de> <87v8o7qzff.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="20955"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 58774@debbugs.gnu.org, "Dr. Arne Babenhauserheide" , emacs-orgmode@gnu.org, bugs@gnu.support To: Stefan Kangas Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed Oct 26 08:54:26 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1onaJ0-0005D9-2M for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 Oct 2022 08:54:26 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1onaHn-0006iM-TN; Wed, 26 Oct 2022 02:53:13 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onaHf-0006TS-3M for bug-gnu-emacs@gnu.org; Wed, 26 Oct 2022 02:53:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1onaHe-00058U-LC for bug-gnu-emacs@gnu.org; Wed, 26 Oct 2022 02:53:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1onaHe-0002tx-Gh for bug-gnu-emacs@gnu.org; Wed, 26 Oct 2022 02:53:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Ihor Radchenko Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 26 Oct 2022 06:53:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 58774 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: wontfix Original-Received: via spool by 58774-submit@debbugs.gnu.org id=B58774.166676714411107 (code B ref 58774); Wed, 26 Oct 2022 06:53:02 +0000 Original-Received: (at 58774) by debbugs.gnu.org; 26 Oct 2022 06:52:24 +0000 Original-Received: from localhost ([127.0.0.1]:53107 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1onaH2-0002t5-CK for submit@debbugs.gnu.org; Wed, 26 Oct 2022 02:52:24 -0400 Original-Received: from mout02.posteo.de ([185.67.36.66]:55321) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1onaH0-0002sp-6C for 58774@debbugs.gnu.org; Wed, 26 Oct 2022 02:52:22 -0400 Original-Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id A5B66240101 for <58774@debbugs.gnu.org>; Wed, 26 Oct 2022 08:52:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1666767136; bh=DpqQ9t2XvY7NpJyEYVsWYpLIz3vRNR8UjMblG3goao0=; h=From:To:Cc:Subject:Date:From; b=KIp5Fi5sVUHye7FLuIWDNesMJxuBNv0QPKAsmP/5lwWmRp7sR12GVu83o+/kDNMOB PW2iRC9cgtcnxfXqHSB2zP0DBA+9tVahzqjhH4+ZLSKjHi2KmkCuhVuU+jFvRkXQxU tL+CJWuoXcOzsr4ra7X209WzfSEDltvLc/FvDLnmciLuPOSuO2A1LjxLOYWxGLUGOP ioHEuiPM7P8dS8bYQ6L92M6ZO9smORReg+0b51MZmQQhgL+HgYcMII3v7JfSgPBiem NxYyhP0ctutnm1Lk3EPJK+Ip/rlMPHZz5qNg1QdWMNPNhdJVP42POO3X2jT1wiBcPA 6T6RJIgDFz8Pw== Original-Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Mxzy54Klgz9rxK; Wed, 26 Oct 2022 08:52:13 +0200 (CEST) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: "bug-gnu-emacs" Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:246199 Archived-At: Stefan Kangas writes: > Ihor Radchenko writes: > >> The "problem" with shell links you are describing is a question of >> setting variables and is also disabled by default. >> >> eww-mode, when loading Org page, could simply set >> org-link-shell-confirm-function to its default value. > > Note that with the suggested feature, any link you follow risks being > loaded in Org mode, before the user even has a chance to inspect the > file. Which Org features, currently existing or introduced in the > future, would EWW have to add workarounds for? That's not the case. Org never loads arbitrary code on loading the file without querying the user. The problem raised above is what happens when user tries to open a shell link and _also_ customized org-link-shell-confirm-function to nil (which is explicitly marked as dangerous option). Strictly speaking, even eww-mode may run arbitrary code given that user puts something into eww-mode-hook. > It is very hard to foresee which parts of Org will be problematic and > have to be disabled. See the security vulnerability in enriched-mode > that prompted the release of Emacs 25.3, for example. > > Adding this opens a can of worms that will expose unsuspecting users to > a whole class of new problems. And the only benefit is to save some > users from having to type "M-x org-mode RET", or adding call to a > suitable hook. I'd say that it will be safer to take care about necessary precautions rather than leaving the user with the only option to run org-mode manually. If necessary, we can introduce a special variable in Org mode that will disable all the potential third-party code evaluation, even if user has customized Org to execute code without prompt. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at