Steven Allen <ste...@stebalien.com> writes: > 1. While this feature no longer invokes completely arbitrary code, it > still allows an attacker to call any function marked as "pure" which > is a pretty large attack surface.
I am struggling to assess this, because it's not clear to me what the threat model is. Could you please elaborate? How are the attacker and potential victim interacting; what is the attack vector(s); who are the threat agents and what is their goal that we are trying to guard against, etc? > You can, of course, write that function; but then you might as well > use org-link-abbrev-alist instead of defining a local #+LINK. Perhaps I misunderstood, I thought the thing being polled was whether or not to allow org-link-abbrev-alist to have REPLACE (per its docstring) be a function. I.e., if %(my-function) is removed, so too would the ability to have a function in the REPLACE position in org-link-abbrev-alist. Did I misunderstand? -- Suhail
