[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [BUG] Unsolicited download of remote resources
From: |
Leo Butler |
Subject: |
Re: [BUG] Unsolicited download of remote resources |
Date: |
Mon, 5 Feb 2024 19:19:45 +0000 |
User-agent: |
Gnus/5.13 (Gnus v5.13) |
On Sun, Feb 04 2024, Max Nikulin <manikulin@gmail.com> wrote:
> On 03/02/2024 02:04, Leo Butler wrote:
>> When I opened your email in Gnus, I was greeted with the same
>> (bewildering) message. Given that Org still tried to download the
>> setupfile after being told not to, I think this is a majour security
>> hole.
>> This is also related to another thread concerning Org and email.
>> https://list.orgmode.org/orgmode/87cyteyhif.fsf@localhost/
>
> Sorry for sending a message with this kind of attachment, but from the
> discussion of that Emacs bug I expected that almost no Gnus users
> should be affected since their media type handler is set for
> text/x-org while Thunderbird uses "Content-Type: text/org".
>
> I would not classify this kind of issues as security ones. I am
> unaware of Org features that may make content of "#+setupfile:" more
> dangerous than the same snippet is included into attachment
> directly. (OK, antivirus might have a chance to detect something as
> dangerous code and "#+setupfile:" would bypass such protection.)
>
> I consider it as a privacy issue. It may allow spammers to track if
> their messages are delivered successfully.
There's no need to apologize--I was surprised at the whole episode.
Q: if #+setupfile points to a real file available to download, does Org
evaluate that file?
Leo
Re: [BUG] Unsolicited download of remote resources, Ihor Radchenko, 2024/02/02