From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id IFEOCG7ZWGN/KwEAbAwnHQ (envelope-from ) for ; Wed, 26 Oct 2022 08:53:34 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id oHtBB27ZWGPqTAEAG6o9tA (envelope-from ) for ; Wed, 26 Oct 2022 08:53:34 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C54E52B9A1 for ; Wed, 26 Oct 2022 08:53:33 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1onaHE-0002xN-TK; Wed, 26 Oct 2022 02:52:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onaGy-0002ER-A4 for emacs-orgmode@gnu.org; Wed, 26 Oct 2022 02:52:22 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1onaGw-0004wX-Dk for emacs-orgmode@gnu.org; Wed, 26 Oct 2022 02:52:20 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 753E8240105 for ; Wed, 26 Oct 2022 08:52:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1666767136; bh=DpqQ9t2XvY7NpJyEYVsWYpLIz3vRNR8UjMblG3goao0=; h=From:To:Cc:Subject:Date:From; b=KIp5Fi5sVUHye7FLuIWDNesMJxuBNv0QPKAsmP/5lwWmRp7sR12GVu83o+/kDNMOB PW2iRC9cgtcnxfXqHSB2zP0DBA+9tVahzqjhH4+ZLSKjHi2KmkCuhVuU+jFvRkXQxU tL+CJWuoXcOzsr4ra7X209WzfSEDltvLc/FvDLnmciLuPOSuO2A1LjxLOYWxGLUGOP ioHEuiPM7P8dS8bYQ6L92M6ZO9smORReg+0b51MZmQQhgL+HgYcMII3v7JfSgPBiem NxYyhP0ctutnm1Lk3EPJK+Ip/rlMPHZz5qNg1QdWMNPNhdJVP42POO3X2jT1wiBcPA 6T6RJIgDFz8Pw== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Mxzy54Klgz9rxK; Wed, 26 Oct 2022 08:52:13 +0200 (CEST) From: Ihor Radchenko To: Stefan Kangas Cc: "Dr. Arne Babenhauserheide" , 58774@debbugs.gnu.org, emacs-orgmode@gnu.org, bugs@gnu.support Subject: Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly In-Reply-To: References: <86bkq0qf8p.fsf@protected.rcdrun.com> <87bkq0t03l.fsf@web.de> <87v8o7qzff.fsf@localhost> Date: Wed, 26 Oct 2022 06:52:56 +0000 Message-ID: <87zgdjoz3r.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Emacs-orgmode" Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1666767213; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=voTp7P5eKbli1eLhn+5BUkCZTgoCBFdEDdvc3JjuYrA=; b=nkT4wWJtGWylFKQkSa3JHwpXoY42LDHKf5nCtJzY2rjFcvZjIYaxc2Vf4K2bfon8q7/PRs a9vvNBEw6OcjXQNP2ahP5ziJ8Pw0nvWGVyauqOMeOqRSkiFQ/JLRO+ijJbgMLG4Vpy03b2 ZjRNy2xcmutqjkb2PXA0eRMqmWKdiFTlDspOruMCCAncOIfgPPAOWXrrCaCpwKZcOgB9Wb Kw1rtEqOaCmHBWfy4x6egzAzPur3/ZrZ3wx7rkLUER1S5PqMkb/1rHSVdeiErH85tyVWwT BILmlpbLmKo3WbhDeXmiRuVAsEVIhfy/NLgd6sOOTnbwX7MPZrjzlh4VX8LS5g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1666767213; a=rsa-sha256; cv=none; b=GHyviZk/3PbXZA7Xlrn+a+ajHoNGmHW4QlJzY8JSufhAx99cgm0SnAranMrmWUTWGktsEw IBtEEiD4h9TKZjTJPn4fqCatrvMno+ioJZ0HSbPALplj6fkJiMq04O6mopQwZ9FjdFe1P2 IGNcoraY2GUcGYEj4UVSzx+hQytOAyGwBFacWwW/gc91rZcoBHsSWLBr/fzQeQpSLHWVLB ZNUHIqDA3W8Xnh+GcaX91rUlniz0fVm8iy5F5LEIXBgCIpHyJvWGS0fYPFNsnpD5I9oI2b Bk3/OHK6ehK08QB1xMXWJftL5gk1ZzDUiUzBB3NWCCR7CF5uVeeLlVY8mxf71A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=KIp5Fi5s; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.91 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=KIp5Fi5s; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: C54E52B9A1 X-Spam-Score: -1.91 X-Migadu-Scanner: scn1.migadu.com X-TUID: lA4e+1LQCBKY Stefan Kangas writes: > Ihor Radchenko writes: > >> The "problem" with shell links you are describing is a question of >> setting variables and is also disabled by default. >> >> eww-mode, when loading Org page, could simply set >> org-link-shell-confirm-function to its default value. > > Note that with the suggested feature, any link you follow risks being > loaded in Org mode, before the user even has a chance to inspect the > file. Which Org features, currently existing or introduced in the > future, would EWW have to add workarounds for? That's not the case. Org never loads arbitrary code on loading the file without querying the user. The problem raised above is what happens when user tries to open a shell link and _also_ customized org-link-shell-confirm-function to nil (which is explicitly marked as dangerous option). Strictly speaking, even eww-mode may run arbitrary code given that user puts something into eww-mode-hook. > It is very hard to foresee which parts of Org will be problematic and > have to be disabled. See the security vulnerability in enriched-mode > that prompted the release of Emacs 25.3, for example. > > Adding this opens a can of worms that will expose unsuspecting users to > a whole class of new problems. And the only benefit is to save some > users from having to type "M-x org-mode RET", or adding call to a > suitable hook. I'd say that it will be safer to take care about necessary precautions rather than leaving the user with the only option to run org-mode manually. If necessary, we can introduce a special variable in Org mode that will disable all the potential third-party code evaluation, even if user has customized Org to execute code without prompt. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at