[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files cor
|
From: |
Ihor Radchenko |
|
Subject: |
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly |
|
Date: |
Wed, 26 Oct 2022 06:52:56 +0000 |
Stefan Kangas <stefankangas@gmail.com> writes:
> Ihor Radchenko <yantar92@posteo.net> writes:
>
>> The "problem" with shell links you are describing is a question of
>> setting variables and is also disabled by default.
>>
>> eww-mode, when loading Org page, could simply set
>> org-link-shell-confirm-function to its default value.
>
> Note that with the suggested feature, any link you follow risks being
> loaded in Org mode, before the user even has a chance to inspect the
> file. Which Org features, currently existing or introduced in the
> future, would EWW have to add workarounds for?
That's not the case. Org never loads arbitrary code on loading the file
without querying the user.
The problem raised above is what happens when user tries to open a shell
link and _also_ customized org-link-shell-confirm-function to nil (which
is explicitly marked as dangerous option).
Strictly speaking, even eww-mode may run arbitrary code given that user
puts something into eww-mode-hook.
> It is very hard to foresee which parts of Org will be problematic and
> have to be disabled. See the security vulnerability in enriched-mode
> that prompted the release of Emacs 25.3, for example.
>
> Adding this opens a can of worms that will expose unsuspecting users to
> a whole class of new problems. And the only benefit is to save some
> users from having to type "M-x org-mode RET", or adding call to a
> suitable hook.
I'd say that it will be safer to take care about necessary precautions
rather than leaving the user with the only option to run org-mode
manually.
If necessary, we can introduce a special variable in Org mode that will
disable all the potential third-party code evaluation, even if user has
customized Org to execute code without prompt.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
- Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, (continued)
- Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Jean Louis, 2022/10/26
- Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Andreas Schwab, 2022/10/26
- Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Jean Louis, 2022/10/26
- Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Andreas Schwab, 2022/10/26
- Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Jean Louis, 2022/10/26
- Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Andreas Schwab, 2022/10/27
- Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Jean Louis, 2022/10/27
- Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Jean Louis, 2022/10/26
Re: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Ihor Radchenko, 2022/10/25
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Dr. Arne Babenhauserheide, 2022/10/26
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Tim Cross, 2022/10/26
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Dr. Arne Babenhauserheide, 2022/10/27
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Stefan Kangas, 2022/10/26
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Jean Louis, 2022/10/26
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Max Nikulin, 2022/10/26
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Jean Louis, 2022/10/26
Re: bug#58774: 29.0.50; [WISH]: Let us make EWW browse WWW Org files correctly, Dr. Arne Babenhauserheide, 2022/10/26