Ihor Radchenko <[email protected]> writes:
> Here is a vulnerability in Emacs Org mode.
> Reproducer is the following .org file:
> #+LINK: shell %(shell-command-to-string)
> [[shell:touch ~/hacked.txt]]
> When sent by email and previewed in Emacs or when opened in Emacs as a
> file, the above Org file will evaluate "touch ~/hacked.txt" without any
> prompts.
> The fix is attached. It is against Org mode git repository.
> The fix can be applied to older versions of Org mode/Emacs if deemed
> necessary.
For those who want to disable automatic parsing of Org files in incoming
email messages with Emacs-based mail readers that use emacs-mime, I
believe this needs to be done with two bits of configuration.
The following (or the equivalent via customize) will disable autodetection
of Org files inline in text/plain parts, such as in the message that I'm
responding to:
(custom-set-variables
'(mm-uu-configure-list
'((org-src-code-block . disabled)
(org-meta-line . disabled))))
In order to disable automatic previewing of org-mode attachments, you need
to customize mm-automatic-display to remove text/x-org from the list of
MIME types that are automatically previewed. (This part I have not
tested.)
There are probably other ways to do this; those are just the ones that I
found.
--
Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
