From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id +MwNI9bUrmDrDgAAgWs5BA
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 27 May 2021 01:08:06 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id QGiiHtbUrmCATwAAbx9fmQ
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 26 May 2021 23:08:06 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id DFDEA12B93
	for <larch@yhetil.org>; Thu, 27 May 2021 01:08:05 +0200 (CEST)
Received: from localhost ([::1]:35970 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>)
	id 1lm2d9-0005YN-SN
	for larch@yhetil.org; Wed, 26 May 2021 19:08:03 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:55908)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <theophilusx@gmail.com>)
 id 1lm2cn-0005YE-Do
 for emacs-orgmode@gnu.org; Wed, 26 May 2021 19:07:41 -0400
Received: from mail-pl1-x62b.google.com ([2607:f8b0:4864:20::62b]:41520)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <theophilusx@gmail.com>)
 id 1lm2cl-000633-SY
 for emacs-orgmode@gnu.org; Wed, 26 May 2021 19:07:41 -0400
Received: by mail-pl1-x62b.google.com with SMTP id z4so1374229plg.8
 for <emacs-orgmode@gnu.org>; Wed, 26 May 2021 16:07:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=references:user-agent:from:to:subject:date:in-reply-to:message-id
 :mime-version; bh=xq/xQdCfE4uV5aRa70u61oOdmZRegFfZalcFLF01gOg=;
 b=EnUbFE3zO36luE+2ikGfzd2KThHpM396cJMelDRbYQgKlezjljFqbX1c3wotd/4iku
 Xo28t75mndSvNMvCGFdoiI6IYyS74cEIr+AFkphusVTPDRQTW3BsqE2l0G1SqNMbQIyq
 pnCHa1/HkyXZTrWqSMho2mMw/vKjNapUamj3Xfg4kCU8xkbb/qUAvSiuK6Ufwb80DVo7
 ZF226Pvk3dySKNtnLL0diURYX1RhOHxuv3eC9TkiJTeve6QST1cMAArbSS0i3T5xOSca
 0uyntlgIF6q5iKyfSHjSc744vqy9snSB7xpnSK7c0tAY8knU0l53uAvcxaDvfvv1dKiP
 BV4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:references:user-agent:from:to:subject:date
 :in-reply-to:message-id:mime-version;
 bh=xq/xQdCfE4uV5aRa70u61oOdmZRegFfZalcFLF01gOg=;
 b=XFUay871eEIk7WY908GOTKmdtFoc/tjuG4iS1bgpweH82KvBku5Bww24tBZqX6LV1o
 WXHZFKaASkQ6EmwrMf5vWHyF/mcmDbvHHUilgUPvLe8ILfMSIYJtcOpR9hbQhRwaMZei
 WQff3rTB38bI7HovUmhwuDarRfYgooyMPPJABrL8t3rP59B8srmcs48g0mtb8MSDGlsq
 35brqIKEV07qSLP80Ll4ApRIV0FBd9CmDmNSY+CMMpUN426C0WcK367XRq+xvPrVdY1m
 9E6Ce9X5iOUTizuXxa7Z7I+xkFn6IMwCr1RAAIEDl7I42947yCEjqb0KMOplRYIm0BrX
 Y9Ew==
X-Gm-Message-State: AOAM532Pvura8Z5XOkmTZSo2tAwIcb+pbOpqFvIsWprVR/kwDy3f+BBF
 Z6fcJvjE+twEeXFaOm2yIUwa+k63ens=
X-Google-Smtp-Source: ABdhPJwCg86hY0MWPTZtA4KbdsTAE/iGNjE28vhqRaNO+H1a8MA9SuYD4qrvd9NId/12HMuwoXGR/A==
X-Received: by 2002:a17:90a:ea10:: with SMTP id
 w16mr573698pjy.46.1622070457616; 
 Wed, 26 May 2021 16:07:37 -0700 (PDT)
Received: from tim-desktop (106-69-64-54.dyn.iinet.net.au. [106.69.64.54])
 by smtp.gmail.com with ESMTPSA id v11sm230420pfm.143.2021.05.26.16.07.35
 for <emacs-orgmode@gnu.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 26 May 2021 16:07:36 -0700 (PDT)
References: <2nk0nl7asb.fsf@fencepost.gnu.org>
User-agent: mu4e 1.5.13; emacs 27.2.50
From: Tim Cross <theophilusx@gmail.com>
To: emacs-orgmode@gnu.org
Subject: Re: bug#48676: Arbitrary code execution in Org export macros
Date: Thu, 27 May 2021 09:01:33 +1000
In-reply-to: <2nk0nl7asb.fsf@fencepost.gnu.org>
Message-ID: <875yz5nlfu.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2607:f8b0:4864:20::62b;
 envelope-from=theophilusx@gmail.com; helo=mail-pl1-x62b.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-orgmode@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
 <mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org
Sender: "Emacs-orgmode" <emacs-orgmode-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1622070486;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=xq/xQdCfE4uV5aRa70u61oOdmZRegFfZalcFLF01gOg=;
	b=CE3wYDjVi/TA5WLHU3OsK9drCFVWmg9v72AEHSPBFbp1DuN8urEC97DK9u82MvZoaN2/7P
	8Ygz+l5R8T8hD504yXGtB8Q26P4lugbFDyLsC758hV2lUSfqwGFelSPqw3M/ffkNVSIVEH
	/rjUySEdAHTEw+1F7N4E/7H0Qc3UVaSSAdIFFOSb/FtHdqYfH62QGN9YBPWhaIheSyEReW
	Pc0KbDJ6l16Yz3gA0Gen1FZv5BtrsFa6PAZ37MdvokNcL1qiM/+x6gbxu+eMy+DVQMdS+1
	gAi8wPrQNEPnAdzvgKabtDW+cN5TKOlhGcDEDIMzKqjtng4xRZ9sBF3glNmn7Q==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622070486; a=rsa-sha256; cv=none;
	b=OQkep3U1A/T6ugBspEJ+TuwBusP7lirD0DYzlMS0PWHLJLY+EStUklhT4YskVfWfqKj0q8
	36QIilChmqnVxYn2MQdHKnCdBYZvjnSJuai0CrZX6jPvZLYTJWcQI9d0o4bPnnx6UJBDUY
	ca3gN+FHJ6Ynh15QsZkopod1FevVd1JYk2Ae8KIxDDY3egNCQyE3i0JhDPz7usZ+YyEG8/
	Wb2laH/Hv/40d4pCzVocTnUsC5lsbh5Pqk+zpFQe734fQXcltngtyi7/Z2dBQsaVCE1yKp
	zB6SbSTZ1o/fXEJkGQF22mmtNeeq8KpjhmKwP/gR8zpnt83OId2eQwT4iCViLw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20161025 header.b=EnUbFE3z;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org
X-Migadu-Spam-Score: -1.63
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gmail.com header.s=20161025 header.b=EnUbFE3z;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org
X-Migadu-Queue-Id: DFDEA12B93
X-Spam-Score: -1.63
X-Migadu-Scanner: scn0.migadu.com
X-TUID: 34oQSiFeiObm


Glenn Morris <rgm@gnu.org> writes:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).

I'm not quite sure if this is the same as the concern with risky local
file variables. The big difference is that with the local file
variables, without the default behaviour of asking for permission to
evaluate, the code would be evaluated simply by loading the file. With
the org file, nothing is evaluated when you load the file. The user has
to actively request for evaluation (via export or tangling).

I would agree the org manual should make it very clear that exporting
and tangling can result in macro evaluation, which could involve
evaluation of arbitrary code and the risks that can introduce. 

-- 
Tim Cross