Re: [BUG] Unsolicited download of remote resources

[Leo Butler]

On Fri, Feb 02 2024, Max Nikulin <manikulin@gmail.com> wrote:

> Hi,
>
> Org git main HEAD, try to open the following file:
>
> --- 8< ---
>
> #+setupfile: http://localhost:8000/setup-1234567890.org
>
> test
> --- >8 ---
>
> I am trying to decline attempts to download the remote resource by 
> hitting "n" (skip), but Org still tries to fetch that file and does it 
> twice. I see in the *Messages*
>
> Please type y, n, d, or !: n
> Contacting host: localhost:8000
> Org couldn’t download "http://localhost:8000/setup-1234567890.org": 
> file-error ("make client process failed" "Connection refused" :name 
> "localhost" :buffer #<killed buffer> :host "localhost" :service 8000 
> :nowait nil :tls-parameters nil :coding nil)
>
> Please type y, n, d, or !: n
> Contacting host: localhost:8000
> Org couldn’t download "http://localhost:8000/setup-1234567890.org": 
> file-error ("make client process failed" "Connection refused" :name 
> "localhost" :buffer #<killed buffer> :host "localhost" :service 8000 
> :nowait nil :tls-parameters nil :coding nil)
>
>  From my point of view Org should not do it. Assume it is not a file I 
> created myself, but it is downloaded from some web server or received in 
> a e-mail message.

When I opened your email in Gnus, I was greeted with the same
(bewildering) message. Given that Org still tried to download the
setupfile after being told not to, I think this is a majour security
hole.

This is also related to another thread concerning Org and email.

https://list.orgmode.org/orgmode/87cyteyhif.fsf@localhost/

Leo