Re: Arbitrary shell command evaluation in Org mode (GNU Emacs)

[Russ Allbery <eagle () eyrie org>]

Ihor Radchenko <yantar92 () posteo net> writes:

> Here is a vulnerability in Emacs Org mode.

> Reproducer is the following .org file:

> #+LINK: shell %(shell-command-to-string)
> [[shell:touch ~/hacked.txt]]

> When sent by email and previewed in Emacs or when opened in Emacs as a
> file, the above Org file will evaluate "touch ~/hacked.txt" without any
> prompts.

> The fix is attached. It is against Org mode git repository.
> The fix can be applied to older versions of Org mode/Emacs if deemed
> necessary.

For those who want to disable automatic parsing of Org files in incoming
email messages with Emacs-based mail readers that use emacs-mime, I
believe this needs to be done with two bits of configuration.

The following (or the equivalent via customize) will disable autodetection
of Org files inline in text/plain parts, such as in the message that I'm
responding to:

(custom-set-variables
 '(mm-uu-configure-list
   '((org-src-code-block . disabled)
     (org-meta-line . disabled))))

In order to disable automatic previewing of org-mode attachments, you need
to customize mm-automatic-display to remove text/x-org from the list of
MIME types that are automatically previewed.  (This part I have not
tested.)

There are probably other ways to do this; those are just the ones that I
found.

-- 
Russ Allbery (eagle () eyrie org)             <https://www.eyrie.org/~eagle/>