Compare commits
3 Commits
a4ff518a2e
...
eafa479069
Author | SHA1 | Date |
---|---|---|
|
eafa479069 | |
|
e6de840889 | |
|
f4cc616369 |
|
@ -18,6 +18,9 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org.
|
|||
# Here, we list the *most important* changes and changes that _likely_
|
||||
# require user action for most Org mode users.
|
||||
# Sorted from most important to least important.
|
||||
*** Arbitrary shell commands may no longer run when turning on Org mode
|
||||
|
||||
This is for security reasons, to avoid running malicious commands.
|
||||
|
||||
*** =python-mode.el (MELPA)= support in =ob-python.el= is removed
|
||||
|
||||
|
|
40
lisp/ol.el
40
lisp/ol.el
|
@ -1152,17 +1152,35 @@ Abbreviations are defined in `org-link-abbrev-alist'."
|
|||
(if (not as)
|
||||
link
|
||||
(setq rpl (cdr as))
|
||||
(cond
|
||||
((symbolp rpl) (funcall rpl tag))
|
||||
((string-match "%(\\([^)]+\\))" rpl)
|
||||
(replace-match
|
||||
(save-match-data
|
||||
(funcall (intern-soft (match-string 1 rpl)) tag))
|
||||
t t rpl))
|
||||
((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
|
||||
((string-match "%h" rpl)
|
||||
(replace-match (url-hexify-string (or tag "")) t t rpl))
|
||||
(t (concat rpl tag)))))))
|
||||
;; Drop any potentially dangerous text properties like
|
||||
;; `modification-hooks' that may be used as an attack vector.
|
||||
(substring-no-properties
|
||||
(cond
|
||||
((symbolp rpl) (funcall rpl tag))
|
||||
((string-match "%(\\([^)]+\\))" rpl)
|
||||
(let ((rpl-fun-symbol (intern-soft (match-string 1 rpl))))
|
||||
;; Using `unsafep-function' is not quite enough because
|
||||
;; Emacs considers functions like `genenv' safe, while
|
||||
;; they can potentially be used to expose private system
|
||||
;; data to attacker if abbreviated link is clicked.
|
||||
(if (or (eq t (get rpl-fun-symbol 'org-link-abbrev-safe))
|
||||
(eq t (get rpl-fun-symbol 'pure)))
|
||||
(replace-match
|
||||
(save-match-data
|
||||
(funcall (intern-soft (match-string 1 rpl)) tag))
|
||||
t t rpl)
|
||||
(org-display-warning
|
||||
(format "Disabling unsafe link abbrev: %s
|
||||
You may mark function safe via (put '%s 'org-link-abbrev-safe t)"
|
||||
rpl (match-string 1 rpl)))
|
||||
(setq org-link-abbrev-alist-local (delete as org-link-abbrev-alist-local)
|
||||
org-link-abbrev-alist (delete as org-link-abbrev-alist))
|
||||
link
|
||||
)))
|
||||
((string-match "%s" rpl) (replace-match (or tag "") t t rpl))
|
||||
((string-match "%h" rpl)
|
||||
(replace-match (url-hexify-string (or tag "")) t t rpl))
|
||||
(t (concat rpl tag))))))))
|
||||
|
||||
(defun org-link-open (link &optional arg)
|
||||
"Open a link object LINK.
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
;; URL: https://orgmode.org
|
||||
;; Package-Requires: ((emacs "26.1"))
|
||||
|
||||
;; Version: 9.7.4
|
||||
;; Version: 9.7.5
|
||||
|
||||
;; This file is part of GNU Emacs.
|
||||
;;
|
||||
|
|
Loading…
Reference in New Issue