[bachmeier]

But expected evaluation is a feature, and not everyone wants to inject a permissions system that gets in the way every time you open a document. Not everything is a web browser that needs to run arbitrary code from arbitrarily bad actors.

A warning and a prompt would largely be useless in this case anyway. As soon as you'd click the prompt, the evil code would run. What you'd need is an option set in your init file to allow code to execute on opening only if a particular piece of information known only to you is included in the file, like #+runcode: a19ihlkn01nf2n9882n4337974biskjf

[cobbal]

Emacs already restricts what variables can be set as file-local. It will prompt you to ask what to do if you open a file containing:

  ;; -*- eval: (message "arbitrary code") -*-

any mode associated with a file extension should be at least as secure against code execution.

[bachmeier]

Sure, I agree with that behavior assuming the user wants the security. If the user wants to disable it, they should be able to do so. It's awful to assume users can't make the decision for themselves.

[pama]

To be clear, this bug is about arbitrary code execution on another machine as soon as a user on that machine opens an email with Emacs that has a malicious org atrachment. It is not about the user opening one of their own files and the user has no chance to preview the code before executing it. So it is a perfect remote takeover of any machine that happens to use a default Emacs for email.

[jlg23]

Codewise I'd prefer a signaled error in elisp and something like your proposed magic/back-door as a handler you'd have to set up in user(-config) space.