On 08/02/2025 05:11, Stefan Kangas wrote:
Glenn Morris writes:#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO")) Hello. {{{hello}}}Then: M-x org-export-dispatch t A[...]> Ihor, could you please look into this bug?
Disclaimer: I am not Ihor. In my opinion, it is an important, but not an urgent issue. I do not see a way to unintentionally invoke export in default configuration. It requires C-x C-e and a couple of extra keys to select format. User can abort the process after accidental starting export dispatcher. So this issue is less severe than e.g. CVE-2024-53920 (indirectly related to bug#32495 completion and bug#37656 flymake) when it is enough to open some file to cause execution of embedded code. I admit there are user configurations and some packages that may add easy access binding e.g. to copy selection as HTML or as MarkDown that run org-export under the hood. Execution of code really may be surprising for novices, but for experienced Org users it is a powerful feature. I not mind that a warning related to macros may be added to (info "(org) Code-Evaluation-Security") and linked from (info "(org) Exporting") subsection (info "(org) Macro-Replacement"). What may help to mitigate the issue is the recently introduced `trusted-content' variable (that still may be renamed to `macros-always-safe' or to something even more confusing). Maybe more flexible settings should be implemented. I expect, Glenn does not assume that `org-export' should be affected by user options related to (info "(emacs) File-Variables"), and it was just an example of a similar approach. There was an attempt to fix this kind of issues in Org. Unfortunately a naive approach caused severe user inconvenience and the changes were reverted. I am afraid, as a consequence, some users even disabled existing protection related to `org-babel'. I recall a discussion on the emacs-orgmode mailing list how to manage degree of trust for specific Org mode documents. I do not think it would harm to put eval macros behind `trusted-content' when this variable is available, but it would not be a complete fix. Org supports previous Emacs releases.
