[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link
|
From: |
Ihor Radchenko |
|
Subject: |
[POLL] We plan to remove #+LINK: ...%(my-function) placeholder from link abbreviation spec (was: [ANN] Emergency bugfix release: Org mode 9.7.5) |
|
Date: |
Fri, 28 Jun 2024 15:09:12 +0000 |
Dear all,
> I just released Org mode 9.7.5 that fixes a critical vulnerability.
> The release is coordinated with emergency Emacs 29.4 release.
> ...
> The vulnerability involves arbitrary Shell code evaluation...
In a view of the recent vulnerability, we are considering to remove the
offending feature completely.
For the time being, we restricted %(function) constructs in #+LINK:
... lines to (1) pure functions (no side effects, no access to global
state); (2) functions explicitly marked by the user.
However, while discussing how to approach the vulnerability, we did not
find many examples of using #+LINK: label %(function) in the wild.
If you are actively using #+LINK: keywords with %(...) placeholders or
have any objections to this feature removal, please let us know.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
[POLL] Bug of Feature? Attack vector via deceiving link abbrevs (was: [ANN] Emergency bugfix release: Org mode 9.7.5), Ihor Radchenko, 2024/06/28