From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id YA2BAhRwqV8eSQAA0tVLHw (envelope-from ) for ; Mon, 09 Nov 2020 16:36:36 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id yEDvORNwqV+EZQAA1q6Kng (envelope-from ) for ; Mon, 09 Nov 2020 16:36:35 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7D14394065D for ; Mon, 9 Nov 2020 16:36:35 +0000 (UTC) Received: from localhost ([::1]:40068 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kcA9i-0002UH-BN for larch@yhetil.org; Mon, 09 Nov 2020 11:36:34 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:51344) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcA8x-0002SX-1L for emacs-orgmode@gnu.org; Mon, 09 Nov 2020 11:35:47 -0500 Received: from static.rcdrun.com ([95.85.24.50]:37851) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcA8u-00049N-Rv for emacs-orgmode@gnu.org; Mon, 09 Nov 2020 11:35:46 -0500 Received: from localhost ([::ffff:197.157.34.177]) (AUTH: PLAIN admin, TLS: TLS1.2,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by static.rcdrun.com with ESMTPSA id 00000000002C0004.000000005FA96FDE.00005EAA; Mon, 09 Nov 2020 16:35:41 +0000 Date: Mon, 9 Nov 2020 18:59:17 +0300 From: Jean Louis To: Maxim Nikulin Subject: Re: Thoughts on the standardization of Org Message-ID: References: <20201101161317.GA6609@maokai> <87imaoekrz.fsf@web.de> <39fb1f8d-4407-9359-ad14-72ae7841fda9@grinta.net> <87tuu85djy.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/2.0 (3d08634) (2020-11-07) Received-SPF: pass client-ip=95.85.24.50; envelope-from=bugs@gnu.support; helo=static.rcdrun.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/09 11:35:39 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: emacs-orgmode@gnu.org Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of emacs-orgmode-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=emacs-orgmode-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: ObuwhqZSwwEB * Maxim Nikulin [2020-11-09 17:06]: > 2020-11-08 Jean Louis wrote: > > That is right, I am using it since years in ~/.mailcap that works well > > for mutt email client. > > > > text/org; emacsclient %s; nametemplate=%s.org; > > text/x-org; emacsclient %s; nametemplate=%s.org; > > Just for curiosity, couldn't it lead to execution of arbitrary code > placed into elisp table expressions, some macro, etc.? The file name is created on the fly like temporarily file name. Email does not carry file name. But it is true that file names can be used maliciously. Only not in the case when I am opening Org file from Mutt email client or others. But if I would be opening Org file with some malicious file name from other software, I guess there could be problems. Quoting '%s' is recommended. Mailcap has security issues just as file system has. When file is opened there is Org file. There is no automatic execution unless user has set his system to maybe automatically execute stuff. > I have not convinced myself that just opening of a file (without > executing of src blocks) is safe enough and there no dangerous > #+startup options or other tricks. That is why on GNU/Linux and BSD systems and other systems we have login with username and passwords and locking screensavers. Those are for use. Computers should be protected from malicious access. By all means you are right to be cautious with Emacs that executes here and there all kinds of things. For the same reason one shall be cautious of any packages coming from various popular package repositories as such are not verified for safety issues. For any Emacs package never allow local file variables to be executed unless you are sure what you are doing. Just say no if unsure. For any package offered by some not common communication line, such as XMPP chat, or IRC like "Hey there, look what this theme does", do not trust without being very sure that package is verified or at least downloaded by many people without complaints. Any programming language is unsecure if people just execute programs without verifying background of such programs, people behind it and fact if many users appreciate programs. When receiving Org file by email you should know who is person behind it. Only Org files I am receiving currently is from Sacha Chua, the Emacs News as I am subscribed to it. You may subscribe too: https://sachachua.com/blog/#text-3 -- Thanks, Jean Louis ⎔ λ 🄯 𝍄 𝌡 𝌚