Ihor Radchenko <yanta...@posteo.net> writes: > I just released Org mode 9.7.5 that fixes a critical vulnerability. > The release is coordinated with emergency Emacs 29.4 release.
This one is another potential issue (or a feature) we have found while discussing the main vulnerability. Currently, one can create an Org file like #+LINK: https https://fake-gmail-login-page.xyz/ [[https://gmail.com]] And the "https" link will actually be expanded according to the abbreviation. In other words, abbreviations take priority over the link types in Org mode. As illustrated above, one can try to trick user into clicking the above "gmail" link, redirecting to completely different page instead. On the other hand, I can totally see people making use of the current behavior to have custom filters for existing link types. For example, to redirect to archive.org when opening web links. I am inclined to call this a feature, and leave the current behavior unchanged, but would like to hear from others first. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>
