From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tom Gillespie Newsgroups: gmane.emacs.bugs Subject: bug#48676: Arbitrary code execution in Org export macros Date: Wed, 26 May 2021 11:00:09 -0700 Message-ID: References: <2nk0nl7asb.fsf@fencepost.gnu.org> <87mtsho240.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="22790"; mail-complaints-to="usenet@ciao.gmane.io" Cc: rgm@gnu.org, 48676@debbugs.gnu.org To: Timothy Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed May 26 20:44:46 2021 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1llyWM-0005fI-3M for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 May 2021 20:44:46 +0200 Original-Received: from localhost ([::1]:35196 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1llyWL-0004hU-5c for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 26 May 2021 14:44:45 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:55588) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1llxq3-00067l-T1; Wed, 26 May 2021 14:01:05 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:38325) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1llxq2-00005b-MU; Wed, 26 May 2021 14:01:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1llxq2-0006S2-LM; Wed, 26 May 2021 14:01:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Tom Gillespie Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org, emacs-orgmode@gnu.org Resent-Date: Wed, 26 May 2021 18:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48676 X-GNU-PR-Package: emacs,org-mode X-GNU-PR-Keywords: security X-Debbugs-Original-Cc: Glenn Morris , 48676@debbugs.gnu.org, emacs-orgmode Original-Received: via spool by 48676-submit@debbugs.gnu.org id=B48676.162205202922627 (code B ref 48676); Wed, 26 May 2021 18:01:02 +0000 Original-Received: (at 48676) by debbugs.gnu.org; 26 May 2021 18:00:29 +0000 Original-Received: from localhost ([127.0.0.1]:49867 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llxpU-0005sW-RR for submit@debbugs.gnu.org; Wed, 26 May 2021 14:00:29 -0400 Original-Received: from mail-wm1-f53.google.com ([209.85.128.53]:52868) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1llxpS-0005lR-VM for 48676@debbugs.gnu.org; Wed, 26 May 2021 14:00:27 -0400 Original-Received: by mail-wm1-f53.google.com with SMTP id z130so1235014wmg.2 for <48676@debbugs.gnu.org>; Wed, 26 May 2021 11:00:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=; b=DpZi9o6PMlY3HAdV0Vr4rGXGa350OeXj9aGog2m/XpuOxXGHMOEHGBT8ms9zA+rgG9 ogNoeBlePVUs+8wZ7ha4pFbzLAgztF9CTdYNffSdBRghqDKoZeimTXd0BxYxwJZ67aVv pq9dADxPeeDLE7B+3rdRAFhkBVqpmCkcNZ4MKvGx+aaYQzklmNa7OShoJm+wpCyqqg+r Lj/8dNkbbKcpxaryy0+Yszv5hLQZtt46j6/GeufwSMK69ZrZ24/YxLL8gJDE4RMeOWcj Ewx/Hjzyif/72iv8ZrR8INujDAU+C6KQ+Eq5e5HZU1wLwtFy3coEbsgYx5PHc5VUk7OO 5TaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n9MlvkpcSOs33tOeMuyToLKZBoVys6xJSJkK8dmolDE=; b=T8JtaJZwD8NXv5ONi+v/dQjXfJzL8Z6Yw63+qwMzKYLTboaMmY+W4NjQbhGmCU/oeF pV+Xi6xCUxe1lVu4qjgD42gi/sWXzUkyqgTewoO0B+qdwzYZ2lTw1s/KCcJX3+3njNyW fjVbOiA2yoSJZ9vaz90/aB1gF3TZx4ubx5P+8OpprTga71s4TtOCFkUyInM8KXCv1huq 7+klCKAa3xOIBbaS0P4kIITsZMqt2AjB1+jNT6MrU+daY5RJDgiaj8FZyKIQ3uaNYAih ZI5cmt0x7MJ5GfUaeUWYZFUbIRFdlZ/4I+6eHbYOPLCM513AQJe8DBAxcZmSCsbSz75a x0WQ== X-Gm-Message-State: AOAM530Xfupfkf+Kcuu25M+TxMxv3/FJl7Jqa4vUiRkKppOjCNcCnc4w PUFlWyUJJPgCe1GkGzyK3vhvyn/V3wC1tQ0ffhw= X-Google-Smtp-Source: ABdhPJwfrGdSt7zLEoxZtoWLSPtmVBaY71Y9zc1JFJbi5QqDWgslW0w4LbaKg3Z1Wlju1fGSS9x7QhDmyH45CSTZ9m0= X-Received: by 2002:a1c:c911:: with SMTP id f17mr30720631wmb.45.1622052020840; Wed, 26 May 2021 11:00:20 -0700 (PDT) In-Reply-To: <87mtsho240.fsf@gmail.com> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:207311 Archived-At: Hi Glenn, The definition for local variables doesn't cover things like org macros, though the spirit of the policy is something worth keeping in mind. Running M-x org-export-dispatch and hitting two keys means that the user has to do something to trigger code execution, much like they would have to intentionally accept certain risky local variables. That said, the fact that many org operations can run arbitrary code is definitely something that needs clearer documentation. It might make sense to add a setting to detect closures that appear in org files to ask for permission before running, but it likely should not be on by default. For a fairly extensive discussion of code execution in org see this thread from Nov 2020. https://orgmode.org/list/robi94$ma$1@ciao.gmane.io/#t Best, Tom