bug#48676: Arbitrary code execution in Org export macros

2025-02-07 Thread Max Nikulin 

On 08/02/2025 05:11, Stefan Kangas wrote:

Glenn Morris writes:

#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
Hello. {{{hello}}}

Then: M-x org-export-dispatch t A[...]> Ihor, could you please look into this 
bug?


Disclaimer: I am not Ihor.

In my opinion, it is an important, but not an urgent issue.

I do not see a way to unintentionally invoke export in default
configuration. It requires C-x C-e and a couple of extra keys
to select format. User can abort the process after accidental
starting export dispatcher. So this issue is less severe than
e.g. CVE-2024-53920 (indirectly related to bug#32495 completion
and bug#37656 flymake) when it is enough to open some file
to cause execution of embedded code.

I admit there are user configurations and some packages that
may add easy access binding e.g. to copy selection as HTML
or as MarkDown that run org-export under the hood.

Execution of code really may be surprising for novices,
but for experienced Org users it is a powerful feature.
I not mind that a warning related to macros may be added to
(info "(org) Code-Evaluation-Security")
and linked from (info "(org) Exporting") subsection
(info "(org) Macro-Replacement").

What may help to mitigate the issue is the recently introduced
`trusted-content' variable (that still may be renamed to
`macros-always-safe' or to something even more confusing).
Maybe more flexible settings should be implemented.
I expect, Glenn does not assume that `org-export'
should be affected by user options related to
(info "(emacs) File-Variables"),
and it was just an example of a similar approach.

There was an attempt to fix this kind of issues in Org.
Unfortunately a naive approach caused severe user inconvenience
and the changes were reverted. I am afraid, as a consequence,
some users even disabled existing protection related to `org-babel'.
I recall a discussion on the emacs-orgmode mailing list
how to manage degree of trust for specific Org mode documents.

I do not think it would harm to put eval macros behind
`trusted-content' when this variable is available,
but it would not be a complete fix. Org supports previous
Emacs releases.

Improve documentation of org-reverse-note-order

2025-02-07 Thread Karthik Chikmagalur 
It's not clear from the documentation of `org-reverse-note-order' what
"note" means:

--8<---cut here---start->8---
Non-nil means store new notes at the beginning of a file or entry.
When nil, new notes will be filed to the end of a file or entry.
This can also be a list with cons cells of regular expressions that
are matched against file names, and values.
--8<---cut here---end--->8---

At first glance, it looks like it applies only to `org-add-note'.  I had
to look at the code to see that it applies to `org-refile' and
(possibly) to org-capture as well, but not to `org-add-note' itself!

I think this documentation can be improved.  Can we append something
like this at the end?

--8<---cut here---start->8---
This affects the default placement of new notes at the destination when
running `org-refile' and `org-capture'.  See also the command
`org-refile-reverse'.
--8<---cut here---end--->8---

Additionally, should this variable affect the order of notes stored via
`org-add-note'?

Karthik

bug#48676: Arbitrary code execution in Org export macros

2025-02-07 Thread Stefan Kangas 
Glenn Morris  writes:

> Package: emacs,org-mode
> Version: 28.0.50
> Severity: important
> Tags: security
>
> emacs -Q hello.org, where hello.org contains:
>
> #+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
> Hello. {{{hello}}}
>
> Then:
> M-x org-export-dispatch
> t A
>
> -> now /tmp/HELLO exist, with no prompting.
>
> This seems contrary to normal Emacs practice for risky local variables,
> and to the section "Code Evaluation and Security Issues" in the Org manual
> (which does not mention macros).

Ihor, could you please look into this bug?

Re: [BUG] intermittent invalid search bound error [9.6.15 (release_9.6.15 @ /tmp/.mount_Emacs-NcE3UV/share/emacs/29.4/lisp/org/)]

2025-02-07 Thread Ihor Radchenko 
John  writes:

> I periodically get the following error for no apparent rhyme or reason:
>
> Warning (org-element-cache): org-element--cache: Org parser error in 
> Notes.org::25724. Resetting.
>  The error was: (error "Invalid search bound (wrong side of point)")
>  Backtrace:
> "  backtrace-to-string(nil)
>   org-element-at-point()
>   org-return(nil nil 1)
>   funcall-interactively(org-return nil nil 1)
>   command-execute(org-return)
>
> It occurs with other commands, not just enter. It occurs randomly with
> "dabbrev-expand" or just jumping to a different location. It occurs with
> commands that work most of the time without issue.

Thanks for reporting!

1. Try to upgrade to Org 9.7. If you are lucky, the problem will be resolved
2. If you see the problem after upgrade, please do M-x
   toggle-debug-on-error. Then, Org will pop up complete debugger window
   with full backtrace. Please then share that backtrace.

-- 
Ihor Radchenko // yantar92,
Org mode maintainer,
Learn more about Org mode at .
Support Org development at ,
or support my work at

Re: [BUG] Org parser error [9.8-pre (e39c42286 @ /home/karthik/.local/share/git/elpaca/builds/org/)]

2025-02-07 Thread Ihor Radchenko 
Karthik Chikmagalur  writes:

> I ran M-h (org-mark-element) on a paragraph and got this warning:
>
> --8<---cut here---start->8---
> ⛔ Warning (org-element): org-element--cache: Org parser error in 
> 2025-01-09.org::2473. Resetting.
>  The error was: (wrong-type-argument integer-or-marker-p nil)
>  Backtrace:
> "  (backtrace-to-string nil)
>   (org-element-at-point)
>   (org-mark-element)
>   (funcall-interactively org-mark-element)
>   (command-execute org-mark-element)
> "
>  Please report this to Org mode mailing list (M-x org-submit-bug-report).

May you trigger it with M-x toggle-debug-on-error? This should pop up
the full backtrace window.

-- 
Ihor Radchenko // yantar92,
Org mode maintainer,
Learn more about Org mode at .
Support Org development at ,
or support my work at

Re: [BUG] org agenda parsing [9.7.11 (9.7.11-6a5d0e @ /home/rivals/.emacs.d/elpa/org-9.7.11/)]

2025-02-07 Thread Ihor Radchenko 
Rivals Eric  writes:

> Remember to cover the basics, that is, what you expected to happen and
> what in fact did happen.  You don't know how to make a good report?  See
>
>   https://orgmode.org/manual/Feedback.html#Feedback
>
> Your bug report will be posted to the Org mailing list.
> 

Looks like you forgot describing the problem you wanted to report ;)

-- 
Ihor Radchenko // yantar92,
Org mode maintainer,
Learn more about Org mode at .
Support Org development at ,
or support my work at

org code highlight w/ single quote

2025-02-07 Thread Jason Hemann 
On at least Org mode version 9.8-pre (release_9.7.20-241-g3218d3), the 
following snippet is highlighted with org-code face.

~'~, plain ~foo~

I suspect that behavior is incorrect. When I export, say, to HTML, the output 
looks like I would expect—namely, that the comma and the word plain are outside 
of  tags.

', plain foo

Thank you for your help.

Best,

Jason Hemann

Re: [BUG] Warning (org-element): ‘org-element-at-point’ cannot be used in non-Org buffer # (org-agenda-mode) [9.7.11 (release_9.7.11 @ /Applications/Emacs.app/Contents/Resources/l

2025-02-07 Thread Ihor Radchenko 
Mark Barton  writes:

>>> May you try to run M-x debug-on-entry RET display-warning RET and
>>> try triggering the warning? Then, you will see a backtrace with the full
>>> information about where the warning is triggered.
>>> 
>>> (you can later disable the debugger via M-x cancel-debug-on-entry RET RET)
> ...
> Got it to occur in org-agenda-log-mode C-c a a l
>
> Debugger entered--entering a function:
> * org-element-at-point()
>   org--collect-keywords-1(("SETUPFILE" "FILETAGS" "TAGS") ("ARCHIVE" 
> "CATEGORY" "COLUMNS" "PRIORITIES") nil 
> ("/Users/bartm002/Documents/org/Work_Projects.org") nil)
>   org-collect-keywords(("FILETAGS" "TAGS") ("ARCHIVE" "CATEGORY" "COLUMNS" 
> "PRIORITIES"))
>   org-set-regexps-and-options(tags-only)
>   
> org-agenda-prepare-buffers(("/Users/bartm002/Documents/org/Work_Projects.org" 
> "/Users/bartm002/Documents/org/Bookmarks.org" 
> "/Users/bartm002/Documents/org/DailyPlans.org" 
> "/Users/bartm002/Documents/org/Personal.org" 
> "/Users/bartm002/Documents/org/Today.org" 
> "/Users/bartm002/Documents/org/diary.org" 
> "/Users/bartm002/Documents/org/goals.org" 
> "/Users/bartm002/Documents/org/python_notes.org" 
> "/Users/bartm002/Documents/org/refile.org"))
>   org-agenda-prepare("Day/Week")

This is perfectly normal.
If you try "e (current-buffer) RET" inside the debugger, you will end up
in an Org file.

There is a reason why I asked to debug display-warning rather than
org-element-at-point itself. What you need to catch is what is calling
org-element-at-point in inappropriate place.

-- 
Ihor Radchenko // yantar92,
Org mode maintainer,
Learn more about Org mode at .
Support Org development at ,
or support my work at

Re: org-present and '+' used for drawing

2025-02-07 Thread Ihor Radchenko 
"Loris Bennett"  writes:

> Should I be surprised when, if I look at the following
>  
> * Test
>
> #+BEGIN_SRC ditaa :file foo.png
> +---+
> | Hello |
> +---+
> #+END_SRC
>
> with org-present, the '+' signs disappear, shifting the subsequent
> characters to the left?

Sounds like some kind of fontification bug (we have many), but I cannot
reproduce starting from emacs -Q.

> Should I be creating boxes for org-present in a different way?

Try to reproduce the problem with emacs -Q first.

-- 
Ihor Radchenko // yantar92,
Org mode maintainer,
Learn more about Org mode at .
Support Org development at ,
or support my work at

Re: [BUG] Org Agenda issue (org said to send) [9.6.29](@ /home/tyler/.emacs.d/elpa/org-9.6.29/)]

2025-02-07 Thread Ihor Radchenko 
Tyler Mayes  writes:

> I was having an issue where the agenda displays but any command I run
> says "No Org Agenda currently displayed" but it is showing entries that
> I can tab to and if follow mode is on it goes to them.
>
> I tried org-mode-restart which didn't do anything then I used load-file
> to load my init.el and it said send a report to the org mailing list.

Thanks for reporting!
If you saw a message asking to send bug report, something was off with
parser cache.

You are still using Org 9.6. If you encounter the problem regularly, I
suggest upgrading to Org 9.7 and reporting back if the problem does not
resolve itself.

-- 
Ihor Radchenko // yantar92,
Org mode maintainer,
Learn more about Org mode at .
Support Org development at ,
or support my work at

Re: [DISCUSSION] Contributing policy for WORG

2025-02-07 Thread Bastien Guerry 
Bastien Guerry  writes:

> What about gollum?
>
> https://github.com/gollum/gollum

Someone just mentioned gitit to me - we mentioned it already in 2013 and
the project seems to be alive: https://github.com/jgm/gitit

  "Gitit is a wiki program written in Haskell. It uses Happstack for the
  web server and pandoc for markup processing. Pages and uploaded files
  are stored in a git, darcs, or mercurial repository and may be
  modified either by using the VCS's command-line tools or through the
  wiki's web interface. By default, pandoc's extended version of
  markdown is used as a markup language, but reStructuredText, LaTeX,
  HTML, DocBook, or Emacs Org-mode markup can also be used. Gitit can be
  configured to display TeX math (using texmath) and highlighted source
  code (using highlighting-kate)."

For this too, we would need a volunteer to run a test instance.

2 cts,

-- 
 Bastien Guerry