[elpa] externals/org 6652ee7be9: Merge branch 'bugfix'

emacs-elpa-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[elpa] externals/org 6652ee7be9: Merge branch 'bugfix'

From:	ELPA Syncer
Subject:	[elpa] externals/org 6652ee7be9: Merge branch 'bugfix'
Date:	Sun, 24 Mar 2024 12:58:43 -0400 (EDT)

branch: externals/org
commit 6652ee7be94cbcdbeab0212eba853d5b554238f6
Merge: 33503445e6 5ff4d54c6f
Author: Ihor Radchenko <yantar92@posteo.net>
Commit: Ihor Radchenko <yantar92@posteo.net>

    Merge branch 'bugfix'
---
 lisp/org-macro.el |  9 ++++++++-
 lisp/org.el       | 27 +++++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/lisp/org-macro.el b/lisp/org-macro.el
index a7601670ea..c509581fb2 100644
--- a/lisp/org-macro.el
+++ b/lisp/org-macro.el
@@ -112,6 +112,13 @@ previous one, unless VALUE is nil.  Return the updated 
list."
   (let ((new-templates nil))
     (pcase-dolist (`(,name . ,value) templates)
       (let ((old-definition (assoc name new-templates)))
+        ;; This code can be evaluated unconditionally, as a part of
+        ;; loading Org mode.  We *must not* evaluate any code present
+        ;; inside the Org buffer while loading.  Org buffers may come
+        ;; from various sources, like received email messages from
+        ;; potentially malicious senders.  Org mode might be used to
+        ;; preview such messages and no code evaluation from inside the
+        ;; received Org text should ever happen without user consent.
         (when (and (stringp value) (string-match-p "\\`(eval\\>" value))
           ;; Pre-process the evaluation form for faster macro expansion.
           (let* ((args (org-macro--makeargs value))
@@ -124,7 +131,7 @@ previous one, unless VALUE is nil.  Return the updated 
list."
                      (cadr (read value))
                    (error
                      (user-error "Invalid definition for macro %S" name)))))
-           (setq value (eval (macroexpand-all `(lambda ,args ,body)) t))))
+           (setq value `(lambda ,args ,body))))
         (cond ((and value old-definition) (setcdr old-definition value))
              (old-definition)
              (t (push (cons name (or value "")) new-templates)))))
diff --git a/lisp/org.el b/lisp/org.el
index 909ce00243..a789dd8f8b 100644
--- a/lisp/org.el
+++ b/lisp/org.el
@@ -1174,6 +1174,24 @@ the following lines anywhere in the buffer:
   :package-version '(Org . "8.0")
   :type 'boolean)
 
+(defvar untrusted-content) ; defined in files.el
+(defvar org--latex-preview-when-risky nil
+  "If non-nil, enable LaTeX preview in Org buffers from unsafe source.
+
+Some specially designed LaTeX code may generate huge pdf or log files
+that may exhaust disk space.
+
+This variable controls how to handle LaTeX preview when rendering LaTeX
+fragments that originate from incoming email messages.  It has no effect
+when Org mode is unable to determine the origin of the Org buffer.
+
+An Org buffer is considered to be from unsafe source when the
+variable `untrusted-content' has a non-nil value in the buffer.
+
+If this variable is non-nil, LaTeX previews are rendered unconditionally.
+
+This variable may be renamed or changed in the future.")
+
 (defcustom org-insert-mode-line-in-empty-file nil
   "Non-nil means insert the first line setting Org mode in empty files.
 When the function `org-mode' is called interactively in an empty file, this
@@ -4630,12 +4648,16 @@ from file or URL, and return nil.
 If NOCACHE is non-nil, do a fresh fetch of FILE even if cached version
 is available.  This option applies only if FILE is a URL."
   (let* ((is-url (org-url-p file))
+         (is-remote (condition-case nil
+                        (file-remote-p file)
+                      ;; In case of error, be safe.
+                      (t t)))
          (cache (and is-url
                      (not nocache)
                      (gethash file org--file-cache))))
     (cond
      (cache)
-     (is-url
+     ((or is-url is-remote)
       (if (org--should-fetch-remote-resource-p file)
           (condition-case error
               (with-current-buffer (url-retrieve-synchronously file)
@@ -4721,9 +4743,9 @@ returns non-nil if any of them match."
                      (propertize domain 'face '(:inherit org-link :weight 
normal))
                      ") as safe.\n ")
                   "")
-                (propertize "f" 'face 'success)
                 (if current-file
                     (concat
+                     (propertize "f" 'face 'success)
                      " to download this resource, and permanently mark all 
resources in "
                      (propertize current-file 'face 'underline)
                      " as safe.\n ")
@@ -16004,6 +16026,7 @@ fragments in the buffer."
   (interactive "P")
   (cond
    ((not (display-graphic-p)) nil)
+   ((and untrusted-content (not org--latex-preview-when-risky)) nil)
    ;; Clear whole buffer.
    ((equal arg '(64))
     (org-clear-latex-preview (point-min) (point-max))

[Prev in Thread]

Current Thread

[Next in Thread]

[elpa] externals/org updated (33503445e6 -> 6652ee7be9), ELPA Syncer, 2024/03/24
- [elpa] externals/org 6652ee7be9: Merge branch 'bugfix', ELPA Syncer <=

Prev by Date: [elpa] externals-release/org updated (01b540e21f -> 5ff4d54c6f)
Next by Date: [elpa] externals/denote 93887bea48: Update to Denote version 2.3.0
Previous by thread: [elpa] externals/org updated (33503445e6 -> 6652ee7be9)
Next by thread: [elpa] externals-release/org updated (01b540e21f -> 5ff4d54c6f)
Index(es):
- Date
- Thread