[cobbal]

Emacs already restricts what variables can be set as file-local. It will prompt you to ask what to do if you open a file containing:

  ;; -*- eval: (message "arbitrary code") -*-

any mode associated with a file extension should be at least as secure against code execution.

[bachmeier]

Sure, I agree with that behavior assuming the user wants the security. If the user wants to disable it, they should be able to do so. It's awful to assume users can't make the decision for themselves.

[pama]

To be clear, this bug is about arbitrary code execution on another machine as soon as a user on that machine opens an email with Emacs that has a malicious org atrachment. It is not about the user opening one of their own files and the user has no chance to preview the code before executing it. So it is a perfect remote takeover of any machine that happens to use a default Emacs for email.