Re: [PATCH] ob-core: add org-confirm-babel-evaluate-cell custom variable

[Max Nikulin]

On 15/12/2022 16:10, Ihor Radchenko wrote:
> Max Nikulin writes:
>
> > I am still in doubts if
> >
> > 10e857d42 2022-10-28 11:09:50 +0800 Ihor Radchenko: org-babel-read: Obey
> > `org-confirm-babel-evaluate'
> >
> > was an unambiguous improvement. Perhaps it just forces more users to set
> > `org-confirm-babel-evaluate' to nil compromising their security to more
> > severe degree.
>
> Should we then extend `org-babel-check-evaluate' to accept "All" answer
> in the coming bugfix release?

I would consider reverting the commit causing user prompt for every 
variable. I believe, there should be single prompt on attempt to execute 
a source block. I admit it is not easy to implement.

Main purpose of the new patch is to allow old behavior. Unfortunately it 
adds more complexity to logic around user prompts and classifying some 
expressions as safe.

I am not comfortable with attempts to consider Org as a format for web 
browser similar to HTML: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=58774
Features great for personal notebooks and authoring of documents are 
disaster for documents from non-trusted sources.

In particular, I consider the following reaction as unreasonably 
optimistic. I am afraid, a lot of work is required to achieve such goal.

https://list.orgmode.org/Y1uFDWOjZb85lk+3@protected.localdomain
Re: [BUG][Security] begin_src :var evaluated before the prompt to 
confirm execution
On 28/10/2022 14:30, Jean Louis wrote:
> * Ihor Radchenko [2022-10-28 06:19]:
> > Jean Louis writes:
> > > * Max Nikulin [2022-10-27 06:21]:
> > > > Expected result:
> > > > No code from the Org buffer and linked files is executed prior to
> > > > confirmation from the user.
> > >
> > > Should that be or is it a general policy for Org mode?
> >
> > Yes, it is a general policy.
> > Org should not execute arbitrary Elisp without confirmation, unless the
> > user customizes the confirmation query to non-default.
>
> That is nice to know. It opens doors for browsing Org files within Emacs.

On 15/12/2022 16:10, Ihor Radchenko wrote:
> In future release, we may go for more powerful prompt as discussed in
> https://orgmode.org/list/8735cyxonl.fsf@localhost

Single prompt for whole bunch of code related to particular block was 
not discussed in that thread, that time the issue was not as sever as 
now. By the way, is it reliable to use (buffer-file-name 
(buffer-base-buffer)) in `org-confirm-babel-evaluate' to determine if 
some file resides in a "safe" directory? It may be discussed in that thread.

I believe that :var code is equally dangerous to the source block body. 
However while nobody pushes Org as a web browser format, it is better to 
implement a transparent and consistent approach to prevention of 
non-trusted code execution.