|
| From: | Max Nikulin |
| Subject: | Re: Reproducers for recent Emacs security issues |
| Date: | Wed, 17 Apr 2024 21:31:16 +0700 |
| User-agent: | Mozilla Thunderbird |
On 16/04/2024 20:23, Andrew Cohen wrote:
EZ> Maybe I misunderstand something (I don't use Gnus), but isn't it
EZ> a security problem that the presence of such a line in an email
EZ> message causes Emacs to download a remote file?
It doesn't cause the file to be downloaded immediately---it displays a
message identifying downloading the file as a possible security risk,
and requires confirmation in order to proceed with the download. This
seems OK from the security viewpoint.
The dialog was introduced in Org mode 9.6 while Emacs-28.2 (the version in Debian stable) has Org 9.5. Moreover, Emacs before 29.3 had a bug, and attempts to fetch remote file happened even when users declined requests. (I do not think, user experience would be great in the case of a message having a dozen of #+setupfile lines...)
But this is what 'gnus-article-emulate-mime is supposed to do: it consults a list of regular expressions to match and invokes handlers to deal with them (whether the article is mime or not).
I did not figure out at first that it is not an attachment that activates Org mode for message body.
However almost certainly it is incorrect that in the case of
#+startup: latexpreview
\begin{equation}
x = 1
\end{equation}
`org-mode' is invoked just for
---- 8< ----
#+startup: latexpreview
\begin{equation}
---- >8 ----
I am in doubts if the intention is to highlight just the #+startup line
or rest of the body.
If a message contains just #+startup without immediately following \begin{equation} then Org mode does not tries if latex command is available and it is even more confusing.
| [Prev in Thread] | Current Thread | [Next in Thread] |