Org mode code evaluation (was: bug#68687: [PATCH] Use text/org media typ

emacs-orgmode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Org mode code evaluation (was: bug#68687: [PATCH] Use text/org media typ

From:	Mike Kupfer
Subject:	Org mode code evaluation (was: bug#68687: [PATCH] Use text/org media type)
Date:	Tue, 30 Jan 2024 09:12:49 -0800

Ihor Radchenko wrote:

> Max is referring to various security issues with evaluating code inside
> Org mode buffers. They are known, but not relevant to Org text being
> displayed in email MUA - Org never evaluates any code automatically
> without user explicitly asking for it. And in MUA, Org mode is simply
> used to apply faces. No other interaction with the displayed text/org
> mime part is allowed.

I can believe that Org text snippets are safe in an email MUA.  

But in the general case, I don't think Org mode is quite as safe as you
implied.  The last I heard, conversion from Org mode to another format
(e.g., plain text or HTML) can result in code evaluation, without the
user authorizing it (see
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=48676).  I would not
expect random users to understand that format conversion is a
potentially risky operation.

mike

[Prev in Thread]

Current Thread

[Next in Thread]

Re: bug#68687: [PATCH] Use text/org media type, (continued)

Prev by Date: Async Python src block behavior with :dir header property
Next by Date: Re: Async Python src block behavior with :dir header property
Previous by thread: Re: bug#68687: [PATCH] Use text/org media type
Next by thread: Re: Org mode code evaluation (was: bug#68687: [PATCH] Use text/org media type)
Index(es):
- Date
- Thread