org-persist: Never write data associated with encrypted files

* lisp/org-persist.el (org-persist-write): Do not write data associated with gpg-encrypted files. This will avoid data leakage. (org-persist--storage-version): Bump storage version to invalidate previously stored, potentially leaked, data. Reported-by: Clément Pit-Claudel <clement.pitclaudel@live.com>
2024-08-25 21:32:53 +00:00 · 2022-12-07 16:04:06 +03:00 · 2022-12-07 16:04:06 +03:00 · 3176ed9052
parent 5d14e88c51
commit 3176ed9052
1 changed files with 11 additions and 4 deletions
--- a/lisp/org-persist.el
+++ b/lisp/org-persist.el
@ -161,7 +161,7 @@
 (declare-function org-at-heading-p "org" (&optional invisible-not-ok))


-(defconst org-persist--storage-version "2.5"
+(defconst org-persist--storage-version "2.7"
  "Persistent storage layout version.")

 (defgroup org-persist nil
@ -856,9 +856,16 @@ When IGNORE-RETURN is non-nil, just return t on success without calling
      (setq associated (org-persist--normalize-associated (get-file-buffer (plist-get associated :file)))))
    (let ((collection (org-persist--get-collection container associated)))
      (setf collection (plist-put collection :associated associated))
-      (unless (seq-find (lambda (v)
-                          (run-hook-with-args-until-success 'org-persist-before-write-hook v associated))
-                        (plist-get collection :container))
+      (unless (or
+               ;; Prevent data leakage from encrypted files.
+               ;; We do it in somewhat paranoid manner and do not
+               ;; allow anything related to encrypted files to be
+               ;; written.
+               (and (plist-get associated :file)
+                    (string-match-p epa-file-name-regexp (plist-get associated :file)))
+               (seq-find (lambda (v)
+                           (run-hook-with-args-until-success 'org-persist-before-write-hook v associated))
+                         (plist-get collection :container)))
        (when (or (file-exists-p org-persist-directory) (org-persist--save-index))
          (let ((file (org-file-name-concat org-persist-directory (plist-get collection :persist-file)))
                (data (mapcar (lambda (c) (cons c (org-persist-write:generic c collection)))