org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
c645e1d8205f0f0663ec4a2d27575b238c646c7c
Ihor Radchenko
Sat Jun 22 00:54:36 2024 +0200
[ km: This was independently covered on the bugfix branch with
f4cc61636. I'm applying it here too for bookkeeping/traceability
purposes. ]
* lisp/org-persist.el (org-persist--normalize-associated): Force
'emacs-internal coding system when computing buffer contents hash.
Reported-by: Eli Zaretskii <eliz@gnu.org>
Link: https://orgmode.org/list/86jzia68ih.fsf@gnu.org
* lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
abbrevs that specify unsafe function. Instead, display a warning, and
do not expand the abbrev. Clear all the text properties from the
returned link, to avoid any potential vulnerabilities caused by
properties that may contain arbitrary Elisp.
* lisp/org-refile.el (org-refile-get-location): When current buffer
file is a symlink to refile location, do not append the file name to
the outline path, just as we do when current buffer is the same as
refile location file.
TINYCHANGE
* lisp/ob-shell.el (org-babel-shell-initialize): Assign default value
from `org-babel-default-header-args:shell' and
`org-babel-header-args:shell' for specific shell variables.
Reported-by: Suhail Singh <suhailsingh247@gmail.com>
Link: https://orgmode.org/list/87frtczgu6.fsf@gmail.com
* lisp/ob-clojure.el (ob-clojure-cli-command): Allow nil value. It
can happen, even though it will yield error (which is a different
issue). But let's follow other defcustoms in the file.
Reported-by: Mattias Engdegård <mattias.engdegard@gmail.com>
Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71566
* lisp/org-element.el (org-element--get-node-properties):
(org-element--headline-parse-title):
(org-element--headline-parse-title-raw):
(org-element--headline-parse-title-parse):
(org-element-comment-block-parser):
(org-element-example-block-parser):
(org-element-export-block-parser):
(org-element-latex-environment-parser):
(org-element-src-block-parser):
(org-element-table-parser):
(org-element--parse-generic-emphasis):
(org-element-export-snippet-parser):
(org-element-inline-babel-call-parser):
(org-element-latex-fragment-parser): Auto-undefer node properties that
are calculated based on buffer position of the node. This will make
the return value of `org-element-at-point' a little more robust once
the buffer is modified. The :begin/:end, and other positional
properties may not be up-to-date, but at least some other properties
may be "frozen" if they are undeferred early. Auto-undefer is still
disabled for properties that do not depend on buffer positions and may
benefit from dynamic calculation that takes into account syntax
changes that are influenced by global variables.
* lisp/org-clock.el (org-clock-sum): Skip invalid CLOCK
lines (malformed or with times missing). Display a warning.
This brings back the old behavior with such CLOCK lines being silently
skipped. Now, we also display a warning.
Reported-by: Robert Nyman <RKNyman@NymanTechnology.com>
Link: https://list.orgmode.org/orgmode/0e2ed754-bc71-4558-9c46-f17d73981fe5@NymanTechnology.com/
* lisp/org.el (org--dnd-rmc): Add docstring. Fix the call to
`read-multiple-choice' when extended help ("?") is requested by the
user.
Reported-by: Johann Klähn <org-mode@web.jklaehn.de>
Link: https://orgmode.org/list/87ikyhg9qi.fsf@jklaehn.de
* lisp/org-num.el (org-num-skip-tags): Make sure that function used
for :safe `defcustom' slot does not require functions that are not
defined in org-loaddefs.el. This is because `org-num-skip-tags' is
autoloaded and cannot rely upon requires in org-num.el. Instead, it
may only use pre-loaded functions and other autoloaded Org mode
functions.
Reported-by: Eli Zaretskii <eliz@gnu.org>
Link: https://yhetil.org/emacs-devel/868qzd9hjg.fsf@gnu.org/
* lisp/org-capture.el (org-capture-templates): Remove "sexp" type from
allowed values of capture targets. S-exp support has been removed in
f5645675a3.
* mk/org-fixup.el (org-make-manual):
(org-make-guide):
(org-make-manuals): Disable local ID db when building Org
documentation. This makes sure that local IDs on the build machine
can never influence the build process.
Reported-by: Eli Zaretskii <eliz@gnu.org>
Link: https://yhetil.org/emacs-devel/868qzd9hjg.fsf@gnu.org/
* lisp/org.el (org--dnd-attach-file): Make sure that target directory
is created before copying file when `org-yank-image-save-method' is
set to specific directory (not 'attach).
Reported-by: ISouthRain <isouthrain@qq.com>
Link: https://orgmode.org/list/tencent_AABB2DEBF7ABFBC795348C288E0EBFCFDD0A@qq.com
* lisp/ox.el (org-export--set-variables): Assume that variables are
listed as (var value) - as a list. Only use the second element of the
list as the value, following example in `org-export-get-environment'.
(org-export-get-environment): Use `org-export--set-variables'.
* testing/lisp/test-ox.el (test-org-export/bind-keyword): Add new
test.
Reported-by: Suhail Singh <suhailsingh247@gmail.com>
Link: https://orgmode.org/list/87cyonhuq3.fsf@gmail.com
* lisp/ob-core.el (org-babel-execute-src-block): Make sure that point
remain on src block after evaluation. The function logic later
implicitly assumes that the point is on the block that has been
evaluated.
* lisp/org.el (org-image--align): Improve docstring. Do not try to
align when image is not inside a paragraph.
Reported-by: Lin Sun <sunlin7.mail@gmail.com>
Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71484
* lisp/ob-core.el (org-babel-execute-src-block): Fix indentation of
line.
Emacs's bd80717d8e7 (Re-enable TTY glyph production for batch mode
frames on Android, 2024-06-10) reverted all changes from 8d1d9798f77
(Fix bootstrap of org.texi, 2024-06-10) aside from an indentation fix.
Apply the indentation fix to avoid overwriting it on sync.
* lisp/org-lint.el (org-lint-misplaced-heading): Be more strict
matching potential misplaced headings - only do it on another heading
and inside paragraphs.
Link: https://orgmode.org/list/87a5jv77qs.fsf@gmail.com
* lisp/org-lint.el (org-lint-misplaced-heading): Use parser to query
whether we are inside a verbatim block. `org-at-block-p' only
triggers on the begin line of blocks.
* lisp/ob-exp.el (org-babel-exp-code): Do not use resolved argument
values when formatting the code block. Resolved argument values may
contain awkward data like full (long) table contents, various Elisp
data (including non-printable), etc. Simply using verbatim src block
parameters as they appear in the original buffer is more reliable.
(org-babel-exp-inline-code-template):
(org-babel-exp-code-template): Update docstrings, drop %flags
placeholder, which is no longer supported using the current src block
syntax.
* etc/ORG-NEWS (=ox-org= preserves header arguments in src blocks):
Drop "non-default" when explaining how header arguments are formatted.
We cannot know which values are default and which not without
resolving the values - something we cannot do as it turned out.
* testing/lisp/test-ob-exp.el (ob-exp/exports-inline-code):
(ob-export/export-src-block-with-flags):
(ob-export/body-with-coderef): Update the tests.
* lisp/org-lint.el (org-lint-suspicious-language-in-src-block): Do not
complain about src block languages without execute function if there
is <lang>-mode major mode available.
Reported-by: Suhail Singh <suhailsingh247@gmail.com>
Link: https://orgmode.org/list/874ja7ik7h.fsf@gmail.com
* mk/targets.mk (GITVERSION): Use previous convention for the Org
version string on ELPA, where Org release tags are not available.
Instead of the new release_N/A-N/A prefix, use the Org version from
org.el file headers, as we did in Org 9.6.
Reported-by: Sharon Kimble <boudiccas@skimble09.plus.com>
Link: https://orgmode.org/list/87ikynyggt.fsf@skimble09.plus.com
