Received: (at 44837) by debbugs.gnu.org; 26 Nov 2020 12:55:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 07:55:05 2020 Received: from localhost ([127.0.0.1]:40088 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1kiGnh-0003se-6C for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 07:55:05 -0500 Received: from quimby.gnus.org ([95.216.78.240]:50036) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <larsi@HIDDEN>) id 1kiGnf-0003rr-Ub for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 07:55:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zJDv4St/aGo8pyXajN/jCgfBLTq2BMlThQW4ZRFKdWk=; b=dFx7KAqBe2tgtME0RRQJzwbLYy 4eujS+IKJfizjkfQJe3nZZcpseUerEunPq06RrMM3xyhqaSCTCDsk++NkFqqjdj5pBW65Ef8hEfP8 mg+pQdkv0GhQd/MwDmuKL3KH6uMJu3ZTYlnRGCmCUA5IeAq7Bfkd/dVdIetd6GmaGM+U=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <larsi@HIDDEN>) id 1kiGnX-0001PY-GV; Thu, 26 Nov 2020 13:54:57 +0100 From: Lars Ingebrigtsen <larsi@HIDDEN> To: Jean Louis <bugs@HIDDEN> Subject: Re: bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed References: <courier.000000005FBCD853.000073BD@HIDDEN> <87360wwerg.fsf@HIDDEN> <X7+hLiSAMUxQoGw5@HIDDEN> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAABGdBTUEAALGPC/xhBQAAACBj SFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAGFBMVEVvja90l8Y6ZZ49 OziJg3iXprT38dn////PMCpNAAAAAWJLR0QHFmGI6wAAAAd0SU1FB+QLGgwxNgmIHpEAAAFISURB VDjLpZTBboQgEIYHsvYMdvfu0qQvIH0Cxr23yp43jfL+j9ABQRfUtEn/xBjmY+aHCQDwPzEpxX6Y JFSQD8hMr23QMpuzmn6CM56AAq64uhJQ/t+oBHio1qhrrfzgyt9SKXngUcTl2URw+czBZYhAqEbW qhELsD6uAeoIWJaxgrVUb/aBQIwe1CPq3FLqbLA1Ybl3lzQtGdpkwPmVXzz42AFzRg/Uu3f3oG8F Yesz+H4CcASqsFr0+9gAEzJEYV4NsZTcAB83WwDt7FGVgKXj8VWYzyJyCOrfQB9MO9O5UaM3SuYR DLcJtSmAaXVnraG0EiBir9HkYESk6XbsBsIsN9cab6OmGS0TK6AxItjJTlCdnoHXelAjeKgXN7m7 W6LhKj41McuAorte3gLEFsxXegdEsgHpDSjB8iDYVULC3pPxJ51+ACBzvgDPBT2aAAAAJXRFWHRk YXRlOmNyZWF0ZQAyMDIwLTExLTI2VDEyOjQ5OjU0KzAwOjAwNIQCzQAAACV0RVh0ZGF0ZTptb2Rp ZnkAMjAyMC0xMS0yNlQxMjo0OTo1NCswMDowMEXZunEAAAAASUVORK5CYII= X-Now-Playing: Simple Minds's _Sister Feelings Call_: "The American" Date: Thu, 26 Nov 2020 13:54:54 +0100 In-Reply-To: <X7+hLiSAMUxQoGw5@HIDDEN> (Jean Louis's message of "Thu, 26 Nov 2020 15:35:58 +0300") Message-ID: <87r1ogs2g1.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Jean Louis <bugs@HIDDEN> writes: >> I'm unable to reproduce this bug. How are you reading this mail? >> rmail? Gnus? Something else? > > By invoking emacsclient > > That it is email is not relevant. I would like to say that focus sha [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 44837 Cc: 44837 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Jean Louis <bugs@HIDDEN> writes: >> I'm unable to reproduce this bug. How are you reading this mail? >> rmail? Gnus? Something else? > > By invoking emacsclient > > That it is email is not relevant. I would like to say that focus shall > be on those follow up emails from me on how to improve the dialogue. > > Did you get it? Nope. Having an Emacs client eval arbitrary code that it's receiving would be a major security problem. Loading local files is less of a problem. So if this has nothing to do with emails, that's nice. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no
bug-gnu-emacs@HIDDEN:bug#44837; Package emacs.
Full text available.Received: (at 44837) by debbugs.gnu.org; 26 Nov 2020 12:47:45 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 07:47:45 2020 Received: from localhost ([127.0.0.1]:40039 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1kiGgb-0003Yn-Cb for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 07:47:45 -0500 Received: from static.rcdrun.com ([95.85.24.50]:49243) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <bugs@HIDDEN>) id 1kiGgY-0003Ue-5N for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 07:47:44 -0500 Received: from localhost ([::ffff:41.202.241.56]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C0006.000000005FBFA3E7.00004F42; Thu, 26 Nov 2020 12:47:35 +0000 Date: Thu, 26 Nov 2020 15:35:58 +0300 From: Jean Louis <bugs@HIDDEN> To: Lars Ingebrigtsen <larsi@HIDDEN> Subject: Re: bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed Message-ID: <X7+hLiSAMUxQoGw5@HIDDEN> References: <courier.000000005FBCD853.000073BD@HIDDEN> <87360wwerg.fsf@HIDDEN> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <87360wwerg.fsf@HIDDEN> User-Agent: Mutt/2.0 (3d08634) (2020-11-07) X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 44837 Cc: 44837 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) * Lars Ingebrigtsen <larsi@HIDDEN> [2020-11-26 14:15]: > Jean Louis <bugs@HIDDEN> writes: > > > How to reproduce: > > > > - make email with the text containing Local-variables as below. > > [...] > > >> #+begin_src org > >> ,* local variables :noexport: > >> # Local Variables: > >> # eval: (org-sbe "startup") > >> # End: > >> #+end_src > >> > >> which will evaluate the named src block "startup" when file is opened. > > I'm unable to reproduce this bug. How are you reading this mail? > rmail? Gnus? Something else? By invoking emacsclient That it is email is not relevant. I would like to say that focus shall be on those follow up emails from me on how to improve the dialogue. Did you get it?
bug-gnu-emacs@HIDDEN:bug#44837; Package emacs.
Full text available.Received: (at 44837) by debbugs.gnu.org; 26 Nov 2020 11:15:27 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 06:15:27 2020 Received: from localhost ([127.0.0.1]:38692 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1kiFFG-0007EO-MN for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 06:15:26 -0500 Received: from quimby.gnus.org ([95.216.78.240]:48776) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <larsi@HIDDEN>) id 1kiFFF-00077W-5D for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 06:15:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date: References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=8yIuVr+9ebJfehm8dXAf9XE18lnSPhmUgnVBSpYRouo=; b=qXImvhWMjRPbbzGd+jQmHSzEho Dz9V9eS3/LvYES2sfNcjXAFrtKO+L9pQMloQTcci6uq3S+USxPlpNWvXhX6gvEK6kNAcvEfvx+UuA CDNKBX7cog4h2GqAa25L1ieykuZtsYMOmeJbcHOZqASoEZ6FsCWR7klnyvkTnr/v6F7s=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby.gnus.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <larsi@HIDDEN>) id 1kiFF6-0000dv-PL; Thu, 26 Nov 2020 12:15:19 +0100 From: Lars Ingebrigtsen <larsi@HIDDEN> To: Jean Louis <bugs@HIDDEN> Subject: Re: bug#44837: 28.0.50; Local-variables: in middle of file wants to get executed References: <courier.000000005FBCD853.000073BD@HIDDEN> X-Now-Playing: Soft Cell's _Tainted Love_: "Tainted Dub" Date: Thu, 26 Nov 2020 12:15:15 +0100 In-Reply-To: <courier.000000005FBCD853.000073BD@HIDDEN> (Jean Louis's message of "Tue, 24 Nov 2020 12:54:25 +0300") Message-ID: <87360wwerg.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Jean Louis <bugs@HIDDEN> writes: > How to reproduce: > > - make email with the text containing Local-variables as below. [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 44837 Cc: 44837 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Jean Louis <bugs@HIDDEN> writes: > How to reproduce: > > - make email with the text containing Local-variables as below. [...] >> #+begin_src org >> ,* local variables :noexport: >> # Local Variables: >> # eval: (org-sbe "startup") >> # End: >> #+end_src >> >> which will evaluate the named src block "startup" when file is opened. I'm unable to reproduce this bug. How are you reading this mail? rmail? Gnus? Something else? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no
bug-gnu-emacs@HIDDEN:bug#44837; Package emacs.
Full text available.
Received: (at 44837) by debbugs.gnu.org; 26 Nov 2020 05:48:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 26 00:48:26 2020
Received: from localhost ([127.0.0.1]:38212 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1kiA8Z-0000jE-Hf
for submit <at> debbugs.gnu.org; Thu, 26 Nov 2020 00:48:26 -0500
Received: from static.rcdrun.com ([95.85.24.50]:55215)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <bugs@HIDDEN>) id 1kiA8X-0000iz-Pj
for 44837 <at> debbugs.gnu.org; Thu, 26 Nov 2020 00:48:10 -0500
Received: from localhost ([::ffff:41.202.241.56])
(AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384)
by static.rcdrun.com with ESMTPSA
id 00000000002C000E.000000005FBF4193.000014C0; Thu, 26 Nov 2020 05:48:02 +0000
Date: Thu, 26 Nov 2020 08:47:50 +0300
From: Jean Louis <bugs@HIDDEN>
To: 44837 <at> debbugs.gnu.org
Subject: Re: 28.0.50; Local-variables: in middle of file wants to get executed
Message-ID: <X79Bhva4GInGY249@HIDDEN>
References: <courier.000000005FBCD853.000073BD@HIDDEN>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
In-Reply-To: <courier.000000005FBCD853.000073BD@HIDDEN>
User-Agent: Mutt/2.0 (3d08634) (2020-11-07)
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 44837
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
I am proposing following changes to the dialogue with unsafe
variables:
- to include on minibuffer the option ? to READ MANUAL and lead user
to the section 49.2.4.2 Safety of File Variables where there are
dangerous to data cited
- to make the dialogue window with cursor rather than without any
cursor how it is now, so that user can click on buttons pointing to
the above manual page
- to designate some parts as shown below to be buttons to the manual
page clickable both from console and from X Emacs
- to give user option to permanently mark specific file or directory
variables as unsafe and not to be asked again to accept them over
and over again as that makes unfair choice to user
- if user clicks ? or C-g or tries to escape or anything else but Y or
!, then the dialogue should fail and file get loaded just as
usual. Upon the next opening of the file everything should go as
usual.
- to add section in the tutorial that references that variables should
not be opened as nothing about these issues is written in the
tutorial. One could say that before accepting any variables user
shall read the manual section 49.2.4.2 Safety of File Variables, and
until full understanding is achieved user is advised not to accept
such variables.
From the current template:
==========================
The local variables list in /home/data1/protected/x
contains values that may not be safe (*).
Do you want to apply it? You can type
y -- to apply the local variables list.
n -- to ignore the local variables list.
! -- to apply the local variables list, and permanently mark these
values (*) as safe (in the future, they will be set automatically.)
* eval : (when (and (buffer-file-name) (not (file-directory-p (.......
Proposed hyperlinks to manual page:
===================================
The local variables list in /home/data1/protected/x
^^^^^^^^^^^^^^^
contains values that may not be safe (*).
^^^^^^ ^^^^^^^^^^^^^^^^^^^
Do you want to apply it? You can type
y -- to apply the local variables list.
^^^^^^^^^^^^^^^^^^^^^^^^^
n -- to ignore the local variables list.
! -- to apply the local variables list, and permanently mark these
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
values (*) as safe (in the future, they will be set automatically.)
* eval : (when (and (buffer-file-name) (not (file-directory-p (.......
^^^^^^
- to give to user option to permanently NOT mark these values to be
accepted, as the choice above is inclined to accept variables and it
makes users error prone to accept unsafe variables, but it does not
give option to permanently mark those as unsafe.
This is more important for dir local variables where user may be
asked many times to accept variables.
Being asked 20 times will make user finally permanently accept
variables.
But user has no visible way to permanently ignore those variables.
- safety for millions of users who do not use Emacs Lisp or who may
not be programmers.
Reasons:
========
- Emacs assumes wrongly that millions of users will know the meanings
of "variable", "value", "apply" variable, "eval" and "safe",
including the meanings of all of the Emacs Lisp that may be shown
after eval: line and that seem not to be user friendly
- to follow the principle of being self-documenting one shall give
hyperlinks or references to documentation, thus giving user the
actual informed choice.
- right now user does not have informed choice and is coerced to
permanently accept variables.
More references:
https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00609.html
https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00633.html
Here are references of confused users on Stack-something:
https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00655.html
https://lists.gnu.org/archive/html/emacs-orgmode/2020-11/msg00665.html
bug-gnu-emacs@HIDDEN:bug#44837; Package emacs.
Full text available.Received: (at submit) by debbugs.gnu.org; 24 Nov 2020 09:55:06 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 24 04:55:05 2020 Received: from localhost ([127.0.0.1]:57742 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1khV2P-0002YL-K6 for submit <at> debbugs.gnu.org; Tue, 24 Nov 2020 04:55:05 -0500 Received: from lists.gnu.org ([209.51.188.17]:34150) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <support1@HIDDEN>) id 1khV2N-0002YB-NQ for submit <at> debbugs.gnu.org; Tue, 24 Nov 2020 04:55:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:51468) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <support1@HIDDEN>) id 1khV2N-0005Sm-EH for bug-gnu-emacs@HIDDEN; Tue, 24 Nov 2020 04:55:03 -0500 Received: from static.rcdrun.com ([95.85.24.50]:60947) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <support1@HIDDEN>) id 1khV2L-0007zy-Kr for bug-gnu-emacs@HIDDEN; Tue, 24 Nov 2020 04:55:02 -0500 Received: from localhost ([::ffff:41.202.241.56]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C1AEA.000000005FBCD853.000073BD; Tue, 24 Nov 2020 09:54:27 +0000 Date: Tue, 24 Nov 2020 12:54:25 +0300 From: Jean Louis <bugs@HIDDEN> To: bug-gnu-emacs@HIDDEN Subject: 28.0.50; Local-variables: in middle of file wants to get executed MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <courier.000000005FBCD853.000073BD@HIDDEN> Received-SPF: pass client-ip=95.85.24.50; envelope-from=support1@HIDDEN; helo=static.rcdrun.com X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.1 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.1 (--) How to reproduce: - make email with the text containing Local-variables as below. -------------------- text begin below----------------------- * Eric S Fraga <e.fraga@HIDDEN> [2020-11-24 12:46]: > On Tuesday, 24 Nov 2020 at 12:00, Jean Louis wrote: > > Can I automated the execution of Babel code upon opening of the Org > > file? > > You can, by using file local variables. For instance, for some files, I > do this: > > #+begin_src org > ,* local variables :noexport: > # Local Variables: > # eval: (org-sbe "startup") > # End: > #+end_src > > which will evaluate the named src block "startup" when file is opened. > > Note that this is a potential security hole so only do this for files > you trust! For me is fine, as I do that for files I create. When I have opened this email i was also asked to set local variables, imagine. So that could maybe also mean that one could send email that is constructed as Org file and if user answers YES, one could inject malicious stuff. --------------- the text above ------------------- still asks me if I like to allow eval: (org-sbe "startup") So I think this is bug in Emacs as Local-variables should be on the end of the file. I am asked when editing such email to execute those local variables above quoted even though they are not on the end of the file. I think this is security issue as described above in the same file. People could spam other users, include some local variables and those answering with Emacs could send them their email addresses, or passwods or other private information, it could also invoke various modes like Org mode and execute various scripts. -- Thanks, Jean Louis ⎔ λ 🄯 𝍄 𝌡 𝌚
Jean Louis <bugs@HIDDEN>:bug-gnu-emacs@HIDDEN.
Full text available.bug-gnu-emacs@HIDDEN:bug#44837; Package emacs.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.