Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was

emacs-orgmode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was

From:	Steven Allen
Subject:	Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5)
Date:	Fri, 28 Jun 2024 08:52:00 -0700

Ihor Radchenko <yantar92@posteo.net> writes:

> Ihor Radchenko <yantar92@posteo.net> writes:
>
>> I just released Org mode 9.7.5 that fixes a critical vulnerability.
>> The release is coordinated with emergency Emacs 29.4 release.
>
> This one is another potential issue (or a feature) we have found while
> discussing the main vulnerability.
>
> Currently, one can create an Org file like
>
> #+LINK: https https://fake-gmail-login-page.xyz/
> [[https://gmail.com]]

This is no different from:

    [[https://fake-gmail-login-page.xyz][https://gmail.com]]

In both cases, mousing over the link will show you the actual target address.

On the other hand, having different faces for "plain" links (links where
the text in the buffer matches the link target) and special links would
be kind of nice.

[Prev in Thread]

Current Thread

[Next in Thread]

[POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5), (continued)
- [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5), Ihor Radchenko, 2024/06/28
  - Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec, Suhail Singh, 2024/06/28
    - Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec, Steven Allen, 2024/06/28
    - Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec, Suhail Singh, 2024/06/28
    - Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec, Ihor Radchenko, 2024/06/28
    - Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec, Suhail Singh, 2024/06/28
    - Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec, Steven Allen, 2024/06/28
    - Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec, Suhail Singh, 2024/06/28
    - Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec, Steven Allen, 2024/06/28
- [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5), Ihor Radchenko, 2024/06/28
  - Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5), Steven Allen <=
  - Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs, Suhail Singh, 2024/06/28

Prev by Date: Re: [POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec
Next by Date: Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs
Previous by thread: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5)
Next by thread: Re: [POLL] Bug of Feature? Attack vector via deceiving link abbrevs
Index(es):
- Date
- Thread