Re: Reproducers for recent Emacs security issues

[Max Nikulin]

On 15/04/2024 16:46, Sean Whitton wrote:
> emacs -q
> M-x gnus-no-server
> Gf ~/tmp/mbox-with-the-msgs.mbox
> RET

I am not a Gnus user, but this time I have tried it. I have realized 
that if there is an text/x-org attachment, even a purely innocent one, 
then it is enough to have the following in the text/plain *body* to 
trigger an attempt to download a remote file:

#+setupfile: http://localhost:8000/setup-1234567890.org

it happens when I open the message, the attachment remains closed.

I expect that message body should not affect attachment preview.

Emacs-28.2

innocent.org
Description: Text Data

innocent-x.org
Description: Text Data