[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [BUG] Unsolicited download of remote resources
From: |
Leo Butler |
Subject: |
Re: [BUG] Unsolicited download of remote resources |
Date: |
Fri, 2 Feb 2024 19:04:44 +0000 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
On Fri, Feb 02 2024, Max Nikulin <manikulin@gmail.com> wrote:
> Hi,
>
> Org git main HEAD, try to open the following file:
>
> --- 8< ---
>
> #+setupfile: http://localhost:8000/setup-1234567890.org
>
> test
> --- >8 ---
>
> I am trying to decline attempts to download the remote resource by
> hitting "n" (skip), but Org still tries to fetch that file and does it
> twice. I see in the *Messages*
>
> Please type y, n, d, or !: n
> Contacting host: localhost:8000
> Org couldn’t download "http://localhost:8000/setup-1234567890.org":
> file-error ("make client process failed" "Connection refused" :name
> "localhost" :buffer #<killed buffer> :host "localhost" :service 8000
> :nowait nil :tls-parameters nil :coding nil)
>
> Please type y, n, d, or !: n
> Contacting host: localhost:8000
> Org couldn’t download "http://localhost:8000/setup-1234567890.org":
> file-error ("make client process failed" "Connection refused" :name
> "localhost" :buffer #<killed buffer> :host "localhost" :service 8000
> :nowait nil :tls-parameters nil :coding nil)
>
> From my point of view Org should not do it. Assume it is not a file I
> created myself, but it is downloaded from some web server or received in
> a e-mail message.
When I opened your email in Gnus, I was greeted with the same
(bewildering) message. Given that Org still tried to download the
setupfile after being told not to, I think this is a majour security
hole.
This is also related to another thread concerning Org and email.
https://list.orgmode.org/orgmode/87cyteyhif.fsf@localhost/
Leo
Re: [BUG] Unsolicited download of remote resources, Ihor Radchenko, 2024/02/02