* Maxim Nikulin <maniku...@gmail.com> [2020-11-09 17:06]: > 2020-11-08 Jean Louis wrote: > > That is right, I am using it since years in ~/.mailcap that works well > > for mutt email client. > > > > text/org; emacsclient %s; nametemplate=%s.org; > > text/x-org; emacsclient %s; nametemplate=%s.org; > > Just for curiosity, couldn't it lead to execution of arbitrary code > placed into elisp table expressions, some macro, etc.?
The file name is created on the fly like temporarily file name. Email does not carry file name. But it is true that file names can be used maliciously. Only not in the case when I am opening Org file from Mutt email client or others. But if I would be opening Org file with some malicious file name from other software, I guess there could be problems. Quoting '%s' is recommended. Mailcap has security issues just as file system has. When file is opened there is Org file. There is no automatic execution unless user has set his system to maybe automatically execute stuff. > I have not convinced myself that just opening of a file (without > executing of src blocks) is safe enough and there no dangerous > #+startup options or other tricks. That is why on GNU/Linux and BSD systems and other systems we have login with username and passwords and locking screensavers. Those are for use. Computers should be protected from malicious access. By all means you are right to be cautious with Emacs that executes here and there all kinds of things. For the same reason one shall be cautious of any packages coming from various popular package repositories as such are not verified for safety issues. For any Emacs package never allow local file variables to be executed unless you are sure what you are doing. Just say no if unsure. For any package offered by some not common communication line, such as XMPP chat, or IRC like "Hey there, look what this theme does", do not trust without being very sure that package is verified or at least downloaded by many people without complaints. Any programming language is unsecure if people just execute programs without verifying background of such programs, people behind it and fact if many users appreciate programs. When receiving Org file by email you should know who is person behind it. Only Org files I am receiving currently is from Sacha Chua, the Emacs News as I am subscribed to it. You may subscribe too: https://sachachua.com/blog/#text-3 -- Thanks, Jean Louis ⎔ λ 🄯 𝍄 𝌡 𝌚