[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY] Tangling can overwrite arbitrary tangling targets, including
From: |
Ihor Radchenko |
Subject: |
[SECURITY] Tangling can overwrite arbitrary tangling targets, including important user files (was: [SECURITY] Arbitrary code evaluation security in Org) |
Date: |
Tue, 03 Jan 2023 09:52:26 +0000 |
Greg Minshall <minshall@umich.edu> writes:
> one additional item (i don't *think* we discussed this before; apologies
> if i'm forgetting): tangling. if one is prompted to "merely" tangle ...
> ----
> #+begin_src sh :tangle /var/tmp/foo.org.tangled
> echo 'hi!'
> #+end_src
> ----
>
> one could imagine more sinister scenarios for destination, content.
>
> i don't really know what, how much, to do. possibly just an option,
> defaulting to =nil=, allowing tangle to write a file outside the subtree
> that holds the .org file being tangled.
Good point. Though not directly related to code execution.
In this particular case, we might be able to utilize Emacs' file
dialogues. For example, `write-file' can ask about overwriting an
existing file.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>