Merge branch 'bugfix'

doc/org-manual.org

@@ -23190,7 +23190,7 @@ specify a date December 1, 2005, the call might look like
 =(diary-date 12 1 2005)= or =(diary-date 1 12 2005)= or =(diary-date
 2005 12 1)=, depending on the settings.  This has been the source of
 much confusion.  Org mode users can resort to special versions of
-these functions, namely ~org-date~, ~org-anniversary~, ~org-cyclic, and
+these functions, namely ~org-date~, ~org-anniversary~, ~org-cyclic~, and
 ~org-block~.  These work just like the corresponding ~diary-~
 functions, but with stable ISO order of arguments (year, month, day)
 wherever applicable, independent of the value of

etc/ORG-NEWS

@@ -110,6 +110,9 @@ the "default" directory - where the symlink is located.
 # Here, we list the *most important* changes and changes that _likely_
 # require user action for most Org mode users.
 # Sorted from most important to least important.
+*** Arbitrary shell commands may no longer run when turning on Org mode
+
+This is for security reasons, to avoid running malicious commands.
 
 *** =python-mode.el (MELPA)= support in =ob-python.el= is removed
 

lisp/ol.el

@@ -1170,23 +1170,41 @@ Abbreviations are defined in `org-link-abbrev-alist'."
                    (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
 	                 org-link-abbrev-alist (delete as org-link-abbrev-alist))
                    link))))
-	  (cond
-	   ((symbolp rpl)
-            (eval-or-disable
-             (let ((expanded (funcall rpl tag)))
-               (unless (stringp expanded)
-                 (error "%s did not return a string: %S" rpl expanded))
-               expanded)))
-	   ((string-match "%(\\([^)]+\\))" rpl)
-            (eval-or-disable
-             (replace-match
-              (save-match-data
-                (funcall (intern-soft (match-string 1 rpl)) tag))
-              t t rpl)))
-	   ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
-	   ((string-match "%h" rpl)
-	    (replace-match (url-hexify-string (or tag "")) t t rpl))
-	   (t (concat rpl tag))))))))
+          ;; Drop any potentially dangerous text properties like
+          ;; `modification-hooks' that may be used as an attack vector.
+          (substring-no-properties
+           (cond
+            ((symbolp rpl)
+             (eval-or-disable
+              (let ((expanded (funcall rpl tag)))
+                (unless (stringp expanded)
+                  (error "%s did not return a string: %S" rpl expanded))
+                expanded)))
+            ((string-match "%(\\([^)]+\\))" rpl)
+             (let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
+               ;; Using `unsafep-function' is not quite enough because
+               ;; Emacs considers functions like `genenv' safe, while
+               ;; they can potentially be used to expose private system
+               ;; data to attacker if abbreviated link is clicked.
+               (if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
+                       (eq t (get rpl-fun-symbol 'pure)))
+                   (eval-or-disable
+                    (replace-match
+                     (save-match-data
+                       (funcall rpl-fun-symbol tag))
+                     t t rpl))
+                 (org-display-warning
+                  (format "Disabling unsafe link abbrev: %s
+You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
+                          rpl (match-string 1 rpl)))
+                 (setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
+                       org-link-abbrev-alist (delete as org-link-abbrev-alist))
+                 link
+                 )))
+            ((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
+            ((string-match "%h" rpl)
+             (replace-match (url-hexify-string (or tag "")) t t rpl))
+            (t (concat rpl tag)))))))))
 
 (defun org-link-open (link &optional arg)
   "Open a link object LINK.

lisp/org-element-ast.el

@@ -270,7 +270,7 @@ Return value is the containing property name, as a keyword, or nil."
   "Dynamically computed value.
 
 The value can be obtained by calling FUNCTION with containing syntax
-node as first argument and ARGS list as remainting arguments.
+node as first argument and ARGS list as remaining arguments.
 
 If the function throws `:org-element-deferred-retry' signal, assume
 that the syntax node has been modified by side effect and retry

lisp/org-element.el

@@ -110,7 +110,7 @@
 ;; to current setup.
 
 (defconst org-element-archive-tag "ARCHIVE"
-  "Tag marking a substree as archived.")
+  "Tag marking a subtree as archived.")
 
 (defconst org-element-citation-key-re
   (rx "@" (group (one-or-more (any word "-.:?!`'/*@+|(){}<>&_^$#%~"))))
@@ -181,8 +181,7 @@ Drawer's name is located in match group 1.")
   (rx line-start (0+ (any ?\s ?\t))
       ":" (1+ (any ?- ?_ word)) ":"
       (0+ (any ?\s ?\t)) line-end)
-  "Regexp matching opening or closing line of a drawer.
-Drawer's name is located in match group 1.")
+  "Regexp matching opening or closing line of a drawer.")
 
 (defconst org-element-dynamic-block-open-re
   (rx line-start (0+ (any ?\s ?\t))
@@ -4677,7 +4676,7 @@ element it has to parse."
        ;;
        ;; In general, the checks below should be as efficient as
        ;; possible, especially early in the `cond' form.  (The
-       ;; early checks will contribute to al subsequent parsers as
+       ;; early checks will contribute to all subsequent parsers as
        ;; well).
        (cond
 	;; Item.
@@ -5954,7 +5953,7 @@ better to remove the commands advised in such a way from this list.")
 
 (defmacro org-element--cache-log-message (format-string &rest args)
   "Add a new log message for org-element-cache.
-FORMAT-STRING and ARGS are the same arguments as in `foramt'."
+FORMAT-STRING and ARGS are the same arguments as in `format'."
   `(when (or org-element--cache-diagnostics
              (eq org-element--cache-self-verify 'backtrace))
      (let* ((format-string (concat (format "org-element-cache diagnostics(%s): "
@@ -6224,7 +6223,7 @@ the cache."
                ;; children starting at the same pos.
                (not (org-element-type-p hashed '(section org-data table))))
           hashed
-        ;; No appriate HASHED.  Search the cache.
+        ;; No appropriate HASHED.  Search the cache.
         (while node
           (let* ((element (avl-tree--node-data node))
 	         (begin (org-element-begin element)))
@@ -8321,7 +8320,7 @@ the cache."
                                             limit-count))
                                 (cache-walk-abort))
                               ;; Make sure that we have a cached
-                              ;; element at the new STAR.
+                              ;; element at the new START.
                               (when start (element-match-at-point)))
                             ;; Check if the buffer or cache has been modified.
                             (unless (org-with-base-buffer nil

lisp/org-refile.el

@@ -666,12 +666,12 @@ this function appends the default value from
 		  #'completing-read))
 	 (extra (if org-refile-use-outline-path "/" ""))
 	 (cbnex (concat (buffer-name) extra))
-	 (filename (and cfn (expand-file-name cfn)))
+	 (filename (and cfn (file-truename cfn)))
 	 (tbl (mapcar
 	       (lambda (x)
 		 (if (and (not (member org-refile-use-outline-path
 				       '(file full-file-path title)))
-			  (not (equal filename (nth 1 x))))
+			  (not (equal filename (file-truename (nth 1 x)))))
 		     (cons (concat (car x) extra " ("
 				   (file-name-nondirectory (nth 1 x)) ")")
 			   (cdr x))