[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#48676: Arbitrary code execution in Org export macros
From: |
Greg Minshall |
Subject: |
bug#48676: Arbitrary code execution in Org export macros |
Date: |
Thu, 27 May 2021 05:54:04 +0300 |
Glenn,
thanks for the report.
i guess my take is that macro-evaluation, and that of other forms,
should be subject to the same restrictions as that of source block
evaluation. i.e., prompting for permission to execute, subject to
=org-confirm-babel-evaluate= (or, more specific variables).
cheers, Greg
> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).