Max Nikulin <maniku...@gmail.com> writes: > Consider the following source block > > ---- >8 ---- > #+begin_src elisp :var a=(message "%s" "pwnd") > a > #+end_src > ---- 8< ---- > > Open the "*Messages*" buffer (C-h e) and try to evaluate the source > block (C-c C-c). > > Actual result: > "pwnd" message appears in "*Messages*" simultaneously with user prompt > whether the code should be executed. > > Expected result: > No code from the Org buffer and linked files is executed prior to > confirmation from the user.
Confirmed. See the attached tentative patch. I tried to balance between annoying users with query and not evaluating unsafe code: '-quoted lists and symbols are still evaluated without prompt. Let me know if you see any potential issues.
>From 961a3ee38a2b9521427fddea5102d003f39b88d6 Mon Sep 17 00:00:00 2001 Message-Id: <961a3ee38a2b9521427fddea5102d003f39b88d6.1666926796.git.yanta...@posteo.net> From: Ihor Radchenko <yanta...@posteo.net> Date: Fri, 28 Oct 2022 11:09:50 +0800 Subject: [PATCH] org-babel-read: Obey `org-confirm-babel-evaluate' * lisp/ob-core.el (org-babel-read): Do not execute arbitrary Elisp without prompt, according to `org-confirm-babel-evaluate'. Reported-by: Max Nikulin <maniku...@gmail.com> Link: https://orgmode.org/list/tjct9e$179u$1...@ciao.gmane.io --- lisp/ob-core.el | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/lisp/ob-core.el b/lisp/ob-core.el index 518831ec6..e10ab401c 100644 --- a/lisp/ob-core.el +++ b/lisp/ob-core.el @@ -3165,7 +3165,16 @@ (defun org-babel-read (cell &optional inhibit-lisp-eval) ((and (not inhibit-lisp-eval) (or (memq (string-to-char cell) '(?\( ?' ?` ?\[)) (string= cell "*this*"))) - (eval (read cell) t)) + ;; Prevent arbitrary function calls. + (if (and (memq (string-to-char cell) '(?\( ?`)) + (not (org-babel-confirm-evaluate + ;; See `org-babel-get-src-block-info'. + (list "emacs-lisp" (format "%S" cell) + '((:eval . yes)) nil (format "%S" cell) + nil nil)))) + ;; Not allowed. + (user-error "Evaluation of elisp code %S aborted." cell) + (eval (read cell) t))) ((save-match-data (and (string-match "^[[:space:]]*\"\\(.*\\)\"[[:space:]]*$" cell) (not (string-match "[^\\]\"" (match-string 1 cell))))) -- 2.35.1
-- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>