GNU bug report logs - #44837
28.0.50; Local-variables: in middle of file wants to get executed

Message received at 44837 <at> debbugs.gnu.org:

Received: (at 44837) by debbugs.gnu.org; 8 Sep 2021 09:47:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 08 05:47:09 2021
Received: from localhost ([127.0.0.1]:58677 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1mNuAe-0006sB-Rn
	for submit <at> debbugs.gnu.org; Wed, 08 Sep 2021 05:47:09 -0400
Received: from quimby.gnus.org ([95.216.78.240]:57860)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1mNuAd-0006mj-Cf
 for 44837 <at> debbugs.gnu.org; Wed, 08 Sep 2021 05:47:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
 s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:
 References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=ZMo64EqVu5hK3nC9KWVk4dNQ3o+YBeHz43Bbm7PATWc=; b=XpY8dx6Lj8oBfgQISkTwcY6MdQ
 tEJLrnLDKFzpOBHbyi8up8b+e03bnuhFPsKhkyo3wbLP401R3F+U3gmWwnK2FdbGyB/VX1DpEwjUC
 9nc3+q0r6Iy/mBerJND2J8UvQGQliHp04NrbP44/ZiYHASwpJmcaENJ+36YoNB58bJlg=;
Received: from [84.212.220.105] (helo=elva)
 by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <larsi@HIDDEN>)
 id 1mNuAV-0001Qz-2L; Wed, 08 Sep 2021 11:47:01 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Jean Louis <bugs@HIDDEN>
Subject: Re: bug#44837: 28.0.50; Local-variables: in middle of file wants to
 get executed
References: <courier.000000005FBCD853.000073BD@HIDDEN>
 <87360wwerg.fsf@HIDDEN> <X7+hLiSAMUxQoGw5@HIDDEN>
 <87r1ogs2g1.fsf@HIDDEN> <X7/3E1fnTJ+6W/9i@HIDDEN>
Date: Wed, 08 Sep 2021 11:46:58 +0200
In-Reply-To: <X7/3E1fnTJ+6W/9i@HIDDEN> (Jean Louis's message of
 "Thu, 26 Nov 2020 21:42:27 +0300")
Message-ID: <87a6kn1jsd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview:  Jean Louis <bugs@HIDDEN> writes: > When I read email
 with Mutt and use Emacs, then local variables want > to get executed. Just
 to ensure that I understand you -- this has nothing to do with reading mail,
 has it? It's about opening a file containing local variables in Emacs from
 disk? (I asked before, but the response was [...] 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 44837
Cc: 44837 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Jean Louis <bugs@HIDDEN> writes:

> When I read email with Mutt and use Emacs, then local variables want
> to get executed.

Just to ensure that I understand you -- this has nothing to do with
reading mail, has it?  It's about opening a file containing local
variables in Emacs from disk?  (I asked before, but the response was
ambiguous.)

(That you received the file via mail is pretty immaterial.)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Message received at 44837 <at> debbugs.gnu.org:

Received: (at 44837) by debbugs.gnu.org; 27 Nov 2020 01:01:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 20:01:30 2020
Received: from localhost ([127.0.0.1]:43277 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kiS8g-0005dR-4P
	for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 20:01:30 -0500
Received: from static.rcdrun.com ([95.85.24.50]:43215)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bugs@HIDDEN>) id 1kiS8a-0005cq-LB
 for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 20:01:25 -0500
Received: from localhost ([::ffff:41.202.241.56])
 (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384)
 by static.rcdrun.com with ESMTPSA
 id 00000000002C0007.000000005FC04FE3.00001E84; Fri, 27 Nov 2020 01:01:23 +0000
Date: Thu, 26 Nov 2020 21:42:27 +0300
From: Jean Louis <bugs@HIDDEN>
To: Lars Ingebrigtsen <larsi@HIDDEN>
Subject: Re: bug#44837: 28.0.50; Local-variables: in middle of file wants to
 get executed
Message-ID: <X7/3E1fnTJ+6W/9i@HIDDEN>
References: <courier.000000005FBCD853.000073BD@HIDDEN>
 <87360wwerg.fsf@HIDDEN> <X7+hLiSAMUxQoGw5@HIDDEN>
 <87r1ogs2g1.fsf@HIDDEN>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
In-Reply-To: <87r1ogs2g1.fsf@HIDDEN>
User-Agent: Mutt/2.0 (3d08634) (2020-11-07)
X-Spam-Score: 1.1 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  * Lars Ingebrigtsen <larsi@HIDDEN> [2020-11-26 15:55]: >
 Jean Louis <bugs@HIDDEN> writes: > > >> I'm unable to reproduce this
 bug. How are you reading this mail? > >> rmail? Gnus? Something els [...]
 Content analysis details:   (1.1 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.1 DATE_IN_PAST_06_12     Date: is 6 to 12 hours before Received: date
 -0.0 SPF_PASS               SPF: sender matches SPF record
X-Debbugs-Envelope-To: 44837
Cc: 44837 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.1 (/)

* Lars Ingebrigtsen <larsi@HIDDEN> [2020-11-26 15:55]:
> Jean Louis <bugs@HIDDEN> writes:
> 
> >> I'm unable to reproduce this bug.  How are you reading this mail?
> >> rmail?  Gnus?  Something else?
> >
> > By invoking emacsclient
> >
> > That it is email is not relevant. I would like to say that focus shall
> > be on those follow up emails from me on how to improve the dialogue.
> >
> > Did you get it?
> 
> Nope.  Having an Emacs client eval arbitrary code that it's receiving
> would be a major security problem.  Loading local files is less of a
> problem.

Please see here:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=44837#8

> So if this has nothing to do with emails, that's nice.

I do not think that major problem is email but more fundamental in how
is that dialogue displayed.

When I read email with Mutt and use Emacs, then local variables want
to get executed.

My comments are on the above link as I forgot to include you and
assumed you would get email automatically.

Thank you,
Jean

Message received at 44837 <at> debbugs.gnu.org:

Received: (at 44837) by debbugs.gnu.org; 26 Nov 2020 12:55:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 07:55:05 2020
Received: from localhost ([127.0.0.1]:40088 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kiGnh-0003se-6C
	for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 07:55:05 -0500
Received: from quimby.gnus.org ([95.216.78.240]:50036)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1kiGnf-0003rr-Ub
 for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 07:55:04 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
 s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:
 References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=zJDv4St/aGo8pyXajN/jCgfBLTq2BMlThQW4ZRFKdWk=; b=dFx7KAqBe2tgtME0RRQJzwbLYy
 4eujS+IKJfizjkfQJe3nZZcpseUerEunPq06RrMM3xyhqaSCTCDsk++NkFqqjdj5pBW65Ef8hEfP8
 mg+pQdkv0GhQd/MwDmuKL3KH6uMJu3ZTYlnRGCmCUA5IeAq7Bfkd/dVdIetd6GmaGM+U=;
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo)
 by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <larsi@HIDDEN>)
 id 1kiGnX-0001PY-GV; Thu, 26 Nov 2020 13:54:57 +0100
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Jean Louis <bugs@HIDDEN>
Subject: Re: bug#44837: 28.0.50; Local-variables: in middle of file wants to
 get executed
References: <courier.000000005FBCD853.000073BD@HIDDEN>
 <87360wwerg.fsf@HIDDEN> <X7+hLiSAMUxQoGw5@HIDDEN>
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGPC/xhBQAAACBj
 SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAGFBMVEVvja90l8Y6ZZ49
 OziJg3iXprT38dn////PMCpNAAAAAWJLR0QHFmGI6wAAAAd0SU1FB+QLGgwxNgmIHpEAAAFISURB
 VDjLpZTBboQgEIYHsvYMdvfu0qQvIH0Cxr23yp43jfL+j9ABQRfUtEn/xBjmY+aHCQDwPzEpxX6Y
 JFSQD8hMr23QMpuzmn6CM56AAq64uhJQ/t+oBHio1qhrrfzgyt9SKXngUcTl2URw+czBZYhAqEbW
 qhELsD6uAeoIWJaxgrVUb/aBQIwe1CPq3FLqbLA1Ybl3lzQtGdpkwPmVXzz42AFzRg/Uu3f3oG8F
 Yesz+H4CcASqsFr0+9gAEzJEYV4NsZTcAB83WwDt7FGVgKXj8VWYzyJyCOrfQB9MO9O5UaM3SuYR
 DLcJtSmAaXVnraG0EiBir9HkYESk6XbsBsIsN9cab6OmGS0TK6AxItjJTlCdnoHXelAjeKgXN7m7
 W6LhKj41McuAorte3gLEFsxXegdEsgHpDSjB8iDYVULC3pPxJ51+ACBzvgDPBT2aAAAAJXRFWHRk
 YXRlOmNyZWF0ZQAyMDIwLTExLTI2VDEyOjQ5OjU0KzAwOjAwNIQCzQAAACV0RVh0ZGF0ZTptb2Rp
 ZnkAMjAyMC0xMS0yNlQxMjo0OTo1NCswMDowMEXZunEAAAAASUVORK5CYII=
X-Now-Playing: Simple Minds's _Sister Feelings Call_: "The American"
Date: Thu, 26 Nov 2020 13:54:54 +0100
In-Reply-To: <X7+hLiSAMUxQoGw5@HIDDEN> (Jean Louis's message of
 "Thu, 26 Nov 2020 15:35:58 +0300")
Message-ID: <87r1ogs2g1.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview: Jean Louis <bugs@HIDDEN> writes: >> I'm unable to
 reproduce
 this bug. How are you reading this mail? >> rmail? Gnus? Something else?
 > > By invoking emacsclient > > That it is email is not relevant. I would
 like to say that focus sha [...] 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 44837
Cc: 44837 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Jean Louis <bugs@HIDDEN> writes:

>> I'm unable to reproduce this bug.  How are you reading this mail?
>> rmail?  Gnus?  Something else?
>
> By invoking emacsclient
>
> That it is email is not relevant. I would like to say that focus shall
> be on those follow up emails from me on how to improve the dialogue.
>
> Did you get it?

Nope.  Having an Emacs client eval arbitrary code that it's receiving
would be a major security problem.  Loading local files is less of a
problem.

So if this has nothing to do with emails, that's nice.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Message received at 44837 <at> debbugs.gnu.org:

Received: (at 44837) by debbugs.gnu.org; 26 Nov 2020 12:47:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 07:47:45 2020
Received: from localhost ([127.0.0.1]:40039 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kiGgb-0003Yn-Cb
	for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 07:47:45 -0500
Received: from static.rcdrun.com ([95.85.24.50]:49243)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bugs@HIDDEN>) id 1kiGgY-0003Ue-5N
 for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 07:47:44 -0500
Received: from localhost ([::ffff:41.202.241.56])
 (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384)
 by static.rcdrun.com with ESMTPSA
 id 00000000002C0006.000000005FBFA3E7.00004F42; Thu, 26 Nov 2020 12:47:35 +0000
Date: Thu, 26 Nov 2020 15:35:58 +0300
From: Jean Louis <bugs@HIDDEN>
To: Lars Ingebrigtsen <larsi@HIDDEN>
Subject: Re: bug#44837: 28.0.50; Local-variables: in middle of file wants to
 get executed
Message-ID: <X7+hLiSAMUxQoGw5@HIDDEN>
References: <courier.000000005FBCD853.000073BD@HIDDEN>
 <87360wwerg.fsf@HIDDEN>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
In-Reply-To: <87360wwerg.fsf@HIDDEN>
User-Agent: Mutt/2.0 (3d08634) (2020-11-07)
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44837
Cc: 44837 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* Lars Ingebrigtsen <larsi@HIDDEN> [2020-11-26 14:15]:
> Jean Louis <bugs@HIDDEN> writes:
> 
> > How to reproduce:
> >
> > - make email with the text containing Local-variables as below.
> 
> [...]
> 
> >> #+begin_src org
> >>   ,* local variables                         :noexport:
> >>   # Local Variables:
> >>   # eval: (org-sbe "startup")
> >>   # End:
> >> #+end_src
> >> 
> >> which will evaluate the named src block "startup" when file is opened.
> 
> I'm unable to reproduce this bug.  How are you reading this mail?
> rmail?  Gnus?  Something else?

By invoking emacsclient

That it is email is not relevant. I would like to say that focus shall
be on those follow up emails from me on how to improve the dialogue.

Did you get it?

Message received at 44837 <at> debbugs.gnu.org:

Received: (at 44837) by debbugs.gnu.org; 26 Nov 2020 11:15:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 06:15:27 2020
Received: from localhost ([127.0.0.1]:38692 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kiFFG-0007EO-MN
	for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 06:15:26 -0500
Received: from quimby.gnus.org ([95.216.78.240]:48776)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1kiFFF-00077W-5D
 for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 06:15:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org;
 s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:
 References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=8yIuVr+9ebJfehm8dXAf9XE18lnSPhmUgnVBSpYRouo=; b=qXImvhWMjRPbbzGd+jQmHSzEho
 Dz9V9eS3/LvYES2sfNcjXAFrtKO+L9pQMloQTcci6uq3S+USxPlpNWvXhX6gvEK6kNAcvEfvx+UuA
 CDNKBX7cog4h2GqAa25L1ieykuZtsYMOmeJbcHOZqASoEZ6FsCWR7klnyvkTnr/v6F7s=;
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo)
 by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <larsi@HIDDEN>)
 id 1kiFF6-0000dv-PL; Thu, 26 Nov 2020 12:15:19 +0100
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Jean Louis <bugs@HIDDEN>
Subject: Re: bug#44837: 28.0.50; Local-variables: in middle of file wants to
 get executed
References: <courier.000000005FBCD853.000073BD@HIDDEN>
X-Now-Playing: Soft Cell's _Tainted Love_: "Tainted Dub"
Date: Thu, 26 Nov 2020 12:15:15 +0100
In-Reply-To: <courier.000000005FBCD853.000073BD@HIDDEN> (Jean
 Louis's message of "Tue, 24 Nov 2020 12:54:25 +0300")
Message-ID: <87360wwerg.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview:  Jean Louis <bugs@HIDDEN> writes: > How to reproduce:
 > > - make email with the text containing Local-variables as below. [...] 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 44837
Cc: 44837 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Jean Louis <bugs@HIDDEN> writes:

> How to reproduce:
>
> - make email with the text containing Local-variables as below.

[...]

>> #+begin_src org
>>   ,* local variables                         :noexport:
>>   # Local Variables:
>>   # eval: (org-sbe "startup")
>>   # End:
>> #+end_src
>> 
>> which will evaluate the named src block "startup" when file is opened.

I'm unable to reproduce this bug.  How are you reading this mail?
rmail?  Gnus?  Something else?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Message received at 44837 <at> debbugs.gnu.org:

Received: (at 44837) by debbugs.gnu.org; 26 Nov 2020 05:48:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 00:48:26 2020
Received: from localhost ([127.0.0.1]:38212 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1kiA8Z-0000jE-Hf
	for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 00:48:26 -0500
Received: from static.rcdrun.com ([95.85.24.50]:55215)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bugs@HIDDEN>) id 1kiA8X-0000iz-Pj
 for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 00:48:10 -0500
Received: from localhost ([::ffff:41.202.241.56])
 (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384)
 by static.rcdrun.com with ESMTPSA
 id 00000000002C000E.000000005FBF4193.000014C0; Thu, 26 Nov 2020 05:48:02 +0000
Date: Thu, 26 Nov 2020 08:47:50 +0300
From: Jean Louis <bugs@HIDDEN>
To: 44837 <at> debbugs.gnu.org
Subject: Re: 28.0.50; Local-variables: in middle of file wants to get executed
Message-ID: <X79Bhva4GInGY249@HIDDEN>
References: <courier.000000005FBCD853.000073BD@HIDDEN>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
In-Reply-To: <courier.000000005FBCD853.000073BD@HIDDEN>
User-Agent: Mutt/2.0 (3d08634) (2020-11-07)
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44837
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

I am proposing following changes to the dialogue with unsafe
variables:

- to include on minibuffer the option ? to READ MANUAL and lead user
  to the section 49.2.4.2 Safety of File Variables where there are
  dangerous to data cited

- to make the dialogue window with cursor rather than without any
  cursor how it is now, so that user can click on buttons pointing to
  the above manual page

- to designate some parts as shown below to be buttons to the manual
  page clickable both from console and from X Emacs

- to give user option to permanently mark specific file or directory
  variables as unsafe and not to be asked again to accept them over
  and over again as that makes unfair choice to user

- if user clicks ? or C-g or tries to escape or anything else but Y or
  !, then the dialogue should fail and file get loaded just as
  usual. Upon the next opening of the file everything should go as
  usual.

- to add section in the tutorial that references that variables should
  not be opened as nothing about these issues is written in the
  tutorial. One could say that before accepting any variables user
  shall read the manual section 49.2.4.2 Safety of File Variables, and
  until full understanding is achieved user is advised not to accept
  such variables.

From the current template:
==========================

The local variables list in /home/data1/protected/x
contains values that may not be safe (*).

Do you want to apply it?  You can type
y  -- to apply the local variables list.
n  -- to ignore the local variables list.
!  -- to apply the local variables list, and permanently mark these
      values (*) as safe (in the future, they will be set automatically.)

  * eval : (when (and (buffer-file-name) (not (file-directory-p (.......

Proposed hyperlinks to manual page:
===================================

The local variables list in /home/data1/protected/x
    ^^^^^^^^^^^^^^^
contains values that may not be safe (*).
         ^^^^^^      ^^^^^^^^^^^^^^^^^^^
Do you want to apply it?  You can type
y  -- to apply the local variables list.
         ^^^^^^^^^^^^^^^^^^^^^^^^^
n  -- to ignore the local variables list.
!  -- to apply the local variables list, and permanently mark these
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      values (*) as safe (in the future, they will be set automatically.)

  * eval : (when (and (buffer-file-name) (not (file-directory-p (.......
    ^^^^^^

- to give to user option to permanently NOT mark these values to be
  accepted, as the choice above is inclined to accept variables and it
  makes users error prone to accept unsafe variables, but it does not
  give option to permanently mark those as unsafe.

  This is more important for dir local variables where user may be
  asked many times to accept variables.

  Being asked 20 times will make user finally permanently accept
  variables.

  But user has no visible way to permanently ignore those variables.

- safety for millions of users who do not use Emacs Lisp or who may
  not be programmers.



Reasons:
========

- Emacs assumes wrongly that millions of users will know the meanings
  of "variable", "value", "apply" variable, "eval" and "safe",
  including the meanings of all of the Emacs Lisp that may be shown
  after eval: line and that seem not to be user friendly

- to follow the principle of being self-documenting one shall give
  hyperlinks or references to documentation, thus giving user the
  actual informed choice.

- right now user does not have informed choice and is coerced to
  permanently accept variables.

More references:

https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00609.html

https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00633.html

Here are references of confused users on Stack-something:
https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00655.html

https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00665.html

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 24 Nov 2020 09:55:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 24 04:55:05 2020
Received: from localhost ([127.0.0.1]:57742 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1khV2P-0002YL-K6
	for submit <at> debbugs.gnu.org; Tue, 24 Nov 2020 04:55:05 -0500
Received: from lists.gnu.org ([209.51.188.17]:34150)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <support1@HIDDEN>) id 1khV2N-0002YB-NQ
 for submit <at> debbugs.gnu.org; Tue, 24 Nov 2020 04:55:04 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:51468)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <support1@HIDDEN>)
 id 1khV2N-0005Sm-EH
 for bug-gnu-emacs@HIDDEN; Tue, 24 Nov 2020 04:55:03 -0500
Received: from static.rcdrun.com ([95.85.24.50]:60947)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <support1@HIDDEN>)
 id 1khV2L-0007zy-Kr
 for bug-gnu-emacs@HIDDEN; Tue, 24 Nov 2020 04:55:02 -0500
Received: from localhost ([::ffff:41.202.241.56])
 (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384)
 by static.rcdrun.com with ESMTPSA
 id 00000000002C1AEA.000000005FBCD853.000073BD; Tue, 24 Nov 2020 09:54:27 +0000
Date: Tue, 24 Nov 2020 12:54:25 +0300
From: Jean Louis <bugs@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: 28.0.50; Local-variables: in middle of file wants to get executed
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <courier.000000005FBCD853.000073BD@HIDDEN>
Received-SPF: pass client-ip=95.85.24.50; envelope-from=support1@HIDDEN;
 helo=static.rcdrun.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9,
 HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)


How to reproduce:

- make email with the text containing Local-variables as below.

-------------------- text begin below-----------------------
* Eric S Fraga <e.fraga@HIDDEN> [2020-11-24 12:46]:
> On Tuesday, 24 Nov 2020 at 12:00, Jean Louis wrote:
> > Can I automated the execution of Babel code upon opening of the Org
> > file?
> 
> You can, by using file local variables.  For instance, for some files, I
> do this:
> 
> #+begin_src org
>   ,* local variables                         :noexport:
>   # Local Variables:
>   # eval: (org-sbe "startup")
>   # End:
> #+end_src
> 
> which will evaluate the named src block "startup" when file is opened.
> 
> Note that this is a potential security hole so only do this for files
> you trust!

For me is fine, as I do that for files I create.

When I have opened this email i was also asked to set local variables,
imagine. So that could maybe also mean that one could send email that
is constructed as Org file and if user answers YES, one could inject
malicious stuff.

--------------- the text above -------------------
still asks me if I like to allow eval: (org-sbe "startup")

So I think this is bug in Emacs as Local-variables should be on the
end of the file.

I am asked when editing such email to execute those local variables
above quoted even though they are not on the end of the file. I think
this is security issue as described above in the same file. People
could spam other users, include some local variables and those
answering with Emacs could send them their email addresses, or
passwods or other private information, it could also invoke various
modes like Org mode and execute various scripts.

-- 
Thanks,
Jean Louis
⎔ λ 🄯 𝍄 𝌡 𝌚