Dear all, > I just released Org mode 9.7.5 that fixes a critical vulnerability. > The release is coordinated with emergency Emacs 29.4 release. > ... > The vulnerability involves arbitrary Shell code evaluation...
In a view of the recent vulnerability, we are considering to remove the offending feature completely. For the time being, we restricted %(function) constructs in #+LINK: ... lines to (1) pure functions (no side effects, no access to global state); (2) functions explicitly marked by the user. However, while discussing how to approach the vulnerability, we did not find many examples of using #+LINK: label %(function) in the wild. If you are actively using #+LINK: keywords with %(...) placeholders or have any objections to this feature removal, please let us know. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>