* Tim Cross <theophil...@gmail.com> [2020-11-10 00:50]: > > Maxim Nikulin <maniku...@gmail.com> writes: > > > 2020-11-08 Jean Louis wrote: > >> That is right, I am using it since years in ~/.mailcap that works well > >> for mutt email client. > >> > >> text/org; emacsclient %s; nametemplate=%s.org; > >> text/x-org; emacsclient %s; nametemplate=%s.org; > > > > Just for curiosity, couldn't it lead to execution of arbitrary code > > placed into elisp table expressions, some macro, etc.? I have not > > convinced myself that just opening of a file (without executing of src > > blocks) is safe enough and there no dangerous #+startup options or other > > tricks. Emacs is too powerful and too flexible... > > By default, it is pretty safe. While you can customize things in such a > way as to expose you to additional danger, you have to explicitly do > that. > > There is a risk with many MIME types, for example images, word and excel > documents etc. Even HTML can be a threat, especially if your mail reader > supports JS and is not well engineered with security checks. > > No email can be considered 100% safe. However, in addition to the > possible security consequences, you also have to consider the > likelihood. The effort it takes to craft a malicious payload needs some > sort of reward and while that reward might be as trivial as just causing > mayhem, the relatively small user base for org compared to other MIME > types is unlikely to make it an attractive mechanism. You are more > likely to choose something more popular to put your efforts into.
In general I understand your very valid points. When using text based email reader and non-Javascript browsers to read emails then email is practically very safe. I never encountered any problems in last 2 decades plus 1 year. Of course there are phishing and tracking emails and there are bugs in various software. Mostly I have used mutt, and for some time Thunderbird. Never had any issue with emails. It does not mean there are none: https://nvd.nist.gov/vuln/detail/CVE-2020-6793 https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/ https://www.cvedetails.com/product/3678/Mozilla-Thunderbird.html?vendor_id=452 https://www.cvedetails.com/google-search-results.php?q=mutt&sa=Search