On 03/02/2024 02:04, Leo Butler wrote:
When I opened your email in Gnus, I was greeted with the same (bewildering) message. Given that Org still tried to download the setupfile after being told not to, I think this is a majour security hole. This is also related to another thread concerning Org and email. https://list.orgmode.org/orgmode/87cyteyhif.fsf@localhost/
Sorry for sending a message with this kind of attachment, but from the discussion of that Emacs bug I expected that almost no Gnus users should be affected since their media type handler is set for text/x-org while Thunderbird uses "Content-Type: text/org".
I would not classify this kind of issues as security ones. I am unaware of Org features that may make content of "#+setupfile:" more dangerous than the same snippet is included into attachment directly. (OK, antivirus might have a chance to detect something as dangerous code and "#+setupfile:" would bypass such protection.)
I consider it as a privacy issue. It may allow spammers to track if their messages are delivered successfully.
I was really surprised when I found "n" option to decline downloads broken. I expected it was addressed in [PATCH] New remote resource download policy. Sun, 12 Jun 2022 22:43:07 +0800. https://list.orgmode.org/87mteiq6ou....@gmail.com
since it was risen in the earlier thread [PATCH] Support =#+include=-ing URLs. Sun, 05 Jun 2022 22:32:30 +0800. https://list.orgmode.org/87k09v5gap....@gmail.com
