From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Max Nikulin Newsgroups: gmane.emacs.devel Subject: Re: Reproducers for recent Emacs security issues Date: Wed, 17 Apr 2024 21:31:16 +0700 Message-ID: References: <875xwk8w5w.fsf@melete.silentflame.com> <706e1218-7451-4221-830a-ae3db3bf842e@gmail.com> <87cyqrf01x.fsf@melete.silentflame.com> <87mspv6kf0.fsf@localhost> <87y19fdklq.fsf@melete.silentflame.com> <87wmoy6dkl.fsf@localhost> <87edb6328y.fsf@mid.deneb.enyo.de> <8734rmmcfg.fsf@ust.hk> <86edb5jxzt.fsf@gnu.org> <87msptqw41.fsf@ust.hk> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="18190"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Apr 17 17:50:46 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1rx7Yc-0004ZV-AG for ged-emacs-devel@m.gmane-mx.org; Wed, 17 Apr 2024 17:50:46 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rx7YA-0005w8-7g; Wed, 17 Apr 2024 11:50:18 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rx6Jp-0004se-Dk for emacs-devel@gnu.org; Wed, 17 Apr 2024 10:31:25 -0400 Original-Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rx6Jn-0000Dk-Ld for emacs-devel@gnu.org; Wed, 17 Apr 2024 10:31:25 -0400 Original-Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1rx6Jl-0006lv-RO for emacs-devel@gnu.org; Wed, 17 Apr 2024 16:31:21 +0200 X-Injected-Via-Gmane: http://gmane.org/ Content-Language: en-US, ru-RU In-Reply-To: <87msptqw41.fsf@ust.hk> Received-SPF: pass client-ip=116.202.254.214; envelope-from=ged-emacs-devel@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 26 X-Spam_score: 2.6 X-Spam_bar: ++ X-Spam_report: (2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 17 Apr 2024 11:50:16 -0400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:317776 Archived-At: On 16/04/2024 20:23, Andrew Cohen wrote: > > EZ> Maybe I misunderstand something (I don't use Gnus), but isn't it > EZ> a security problem that the presence of such a line in an email > EZ> message causes Emacs to download a remote file? > > It doesn't cause the file to be downloaded immediately---it displays a > message identifying downloading the file as a possible security risk, > and requires confirmation in order to proceed with the download. This > seems OK from the security viewpoint. The dialog was introduced in Org mode 9.6 while Emacs-28.2 (the version in Debian stable) has Org 9.5. Moreover, Emacs before 29.3 had a bug, and attempts to fetch remote file happened even when users declined requests. (I do not think, user experience would be great in the case of a message having a dozen of #+setupfile lines...) > But this is what 'gnus-article-emulate-mime is supposed to do: > it consults a list of regular expressions to match and invokes handlers > to deal with them (whether the article is mime or not). I did not figure out at first that it is not an attachment that activates Org mode for message body. However almost certainly it is incorrect that in the case of #+startup: latexpreview \begin{equation} x = 1 \end{equation} `org-mode' is invoked just for ---- 8< ---- #+startup: latexpreview \begin{equation} ---- >8 ---- I am in doubts if the intention is to highlight just the #+startup line or rest of the body. If a message contains just #+startup without immediately following \begin{equation} then Org mode does not tries if latex command is available and it is even more confusing.