Hello, Allen Li <vianchielfa...@gmail.com> writes:
> org-attach-directory should be safe to set as a file local or > directory local string. > > This allows the user to set a directory local attachment directory for > all Org files in a directory tree recursively. > > I do not believe there are any security issues to enable arbitrary Org > files to set org-attach-directory to a string value as the user would > have to explicitly initiate any attach operations. The most dangerous > thing I can think of is an Org file setting the attachment directory > to the user's home directory and the user running the command to > delete all attachments. Fair enough. I added a :safe keyword to the defcustom. Regards, -- Nicolas Goaziou
