On Sun, Feb 04 2024, Max Nikulin <maniku...@gmail.com> wrote: > On 03/02/2024 02:04, Leo Butler wrote: >> When I opened your email in Gnus, I was greeted with the same >> (bewildering) message. Given that Org still tried to download the >> setupfile after being told not to, I think this is a majour security >> hole. >> This is also related to another thread concerning Org and email. >> https://list.orgmode.org/orgmode/87cyteyhif.fsf@localhost/ > > Sorry for sending a message with this kind of attachment, but from the > discussion of that Emacs bug I expected that almost no Gnus users > should be affected since their media type handler is set for > text/x-org while Thunderbird uses "Content-Type: text/org". > > I would not classify this kind of issues as security ones. I am > unaware of Org features that may make content of "#+setupfile:" more > dangerous than the same snippet is included into attachment > directly. (OK, antivirus might have a chance to detect something as > dangerous code and "#+setupfile:" would bypass such protection.) > > I consider it as a privacy issue. It may allow spammers to track if > their messages are delivered successfully.
There's no need to apologize--I was surprised at the whole episode. Q: if #+setupfile points to a real file available to download, does Org evaluate that file? Leo
