On Fri, Feb 02 2024, Max Nikulin <maniku...@gmail.com> wrote: > Hi, > > Org git main HEAD, try to open the following file: > > --- 8< --- > > #+setupfile: http://localhost:8000/setup-1234567890.org > > test > --- >8 --- > > I am trying to decline attempts to download the remote resource by > hitting "n" (skip), but Org still tries to fetch that file and does it > twice. I see in the *Messages* > > Please type y, n, d, or !: n > Contacting host: localhost:8000 > Org couldn’t download "http://localhost:8000/setup-1234567890.org": > file-error ("make client process failed" "Connection refused" :name > "localhost" :buffer #<killed buffer> :host "localhost" :service 8000 > :nowait nil :tls-parameters nil :coding nil) > > Please type y, n, d, or !: n > Contacting host: localhost:8000 > Org couldn’t download "http://localhost:8000/setup-1234567890.org": > file-error ("make client process failed" "Connection refused" :name > "localhost" :buffer #<killed buffer> :host "localhost" :service 8000 > :nowait nil :tls-parameters nil :coding nil) > > From my point of view Org should not do it. Assume it is not a file I > created myself, but it is downloaded from some web server or received in > a e-mail message.
When I opened your email in Gnus, I was greeted with the same (bewildering) message. Given that Org still tried to download the setupfile after being told not to, I think this is a majour security hole. This is also related to another thread concerning Org and email. https://list.orgmode.org/orgmode/87cyteyhif.fsf@localhost/ Leo
