From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id gLlBEQvkvV8kWQAA0tVLHw (envelope-from ) for ; Wed, 25 Nov 2020 04:56:43 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id iIwGDQvkvV/HFgAAbx9fmQ (envelope-from ) for ; Wed, 25 Nov 2020 04:56:43 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A1311940363 for ; Wed, 25 Nov 2020 04:56:42 +0000 (UTC) Received: from localhost ([::1]:36916 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khmrA-0003Bk-6n for larch@yhetil.org; Tue, 24 Nov 2020 23:56:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:45436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khmqL-0003Af-BW for emacs-orgmode@gnu.org; Tue, 24 Nov 2020 23:55:49 -0500 Received: from static.rcdrun.com ([95.85.24.50]:38855) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khmqI-0006Uh-B0 for emacs-orgmode@gnu.org; Tue, 24 Nov 2020 23:55:48 -0500 Received: from localhost ([::ffff:41.202.241.56]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C1AE8.000000005FBDE3CF.00002FF0; Wed, 25 Nov 2020 04:55:43 +0000 Date: Wed, 25 Nov 2020 07:44:54 +0300 From: Jean Louis To: Tom Gillespie Subject: Re: One vs many directories Message-ID: References: <87mtz84om9.fsf@localhost> <87ft4zhyuo.fsf@disroot.org> <877dqbhtgf.fsf@ucl.ac.uk> <87zh36d1xn.fsf@web.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/2.0 (3d08634) (2020-11-07) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Dr. Arne Babenhauserheide" , Texas Cyberthal , emacs-orgmode , Diego Zamboni , Ihor Radchenko Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: 0.49 X-TUID: xXRCYiu87SO3 * Tom Gillespie [2020-11-24 23:11]: > > > That is security issue. > > > > Why is it a security issue? The variables do need to be close to the end > > — 3000 characters is only about 50 lines. > > It isn't a security issue by itself. Emacs never automatically runs > eval file local variables unless you have tampered with > enable-local-eval, in which case the tamperin is the security issue > not the existence of the local variables list. > > Thus it is only a security issue if you permanently accept that eval > file local variable and then open random org files that use it with a > malicious startup block. An eval file local variable like that which > blindly executes an org babel block should never be permanently > accepted I do understand conditions. But I can say that I did not understand conditions for one decade and a half, as I was not aware that Emacs has a "real programming language " built-in, and I have been spending my time with outside languages that I was invoking from Emacs. Yes, I did read that Emacs has Emacs Lisp. I was configuring Emacs but I have not been thinkin that it is Lisp. I could figure out those settings without reading manual. As I am programming in Emacs Lisp for years I am aware of it. Before I was thinking that local variables belong somewhere and that I should enable it, despite all the warnings. There was lack of understanding despite the information in front of me. Some files opened asked me to enable local variables, so many times I did so without thinking. My personal behavior to enable local variables that other authors have written is probable not isolated case. So that is security issue as number of users among thousands are weak on this. When I say security issue I do not think myself, you or majority of people currently, but that there are probably millions of people who can be affected by this. I also know spammers are harvesting mailing lists.