Re: [BUG] Unsolicited download of remote resources

[Leo Butler]

On Sun, Feb 04 2024, Max Nikulin <manikulin@gmail.com> wrote:

> On 03/02/2024 02:04, Leo Butler wrote:
>> When I opened your email in Gnus, I was greeted with the same
>> (bewildering) message. Given that Org still tried to download the
>> setupfile after being told not to, I think this is a majour security
>> hole.
>> This is also related to another thread concerning Org and email.
>> https://list.orgmode.org/orgmode/87cyteyhif.fsf@localhost/
>
> Sorry for sending a message with this kind of attachment, but from the
> discussion of that Emacs bug I expected that almost no Gnus users
> should be affected since their media type handler is set for
> text/x-org while Thunderbird uses "Content-Type: text/org".
>
> I would not classify this kind of issues as security ones. I am
> unaware of Org features that may make content of "#+setupfile:" more
> dangerous than the same snippet is included into attachment
> directly. (OK, antivirus might have a chance to detect something as
> dangerous code and "#+setupfile:" would bypass such protection.)
>
> I consider it as a privacy issue. It may allow spammers to track if
> their messages are delivered successfully.

There's no need to apologize--I was surprised at the whole episode.

Q: if #+setupfile points to a real file available to download, does Org
evaluate that file?

Leo