Re: Thoughts on the standardization of Org

[Tim Cross]

Maxim Nikulin <manikulin@gmail.com> writes:

> 2020-11-08 Jean Louis wrote:
>> That is right, I am using it since years in ~/.mailcap that works well
>> for mutt email client.
>>
>> text/org;    emacsclient %s; nametemplate=%s.org;
>> text/x-org;  emacsclient %s; nametemplate=%s.org;
>
> Just for curiosity, couldn't it lead to execution of arbitrary code
> placed into elisp table expressions, some macro, etc.? I have not
> convinced myself that just opening of a file (without executing of src
> blocks) is safe enough and there no dangerous #+startup options or other
> tricks. Emacs is too powerful and too flexible...

By default, it is pretty safe. While you can customize things in such a
way as to expose you to additional danger, you have to explicitly do
that.

There is a risk with many MIME types, for example images, word and excel
documents etc. Even HTML can be a threat, especially if your mail reader
supports JS and is not well engineered with security checks.

No email can be considered 100% safe. However, in addition to the
possible security consequences, you also have to consider the
likelihood. The effort it takes to craft a malicious payload needs some
sort of reward and while that reward might be as trivial as just causing
mayhem, the relatively small user base for org compared to other MIME
types is unlikely to make it an attractive mechanism. You are more
likely to choose something more popular to put your efforts into.

--
Tim Cross