15.4 Code evaluation and security issues
Org provides tools to work with the code snippets, including
evaluating them.
Running code on your machine always comes with a security
risk. Badly written or malicious code can be executed on purpose
or by accident. Org has default settings which will only evaluate
such code if you give explicit permission to do so, and as a
casual user of these features you should leave these precautions
intact.
For people who regularly work with such code, the confirmation
prompts can become annoying, and you might want to turn them off.
This can be done, but you must be aware of the risks that are
involved.
Code evaluation can happen under the following
circumstances:
- Source code blocks
-
Source code blocks can be evaluated during export, or when
pressing C-c C-c in the block. The most important
thing to realize here is that Org mode files which contain
code snippets are, in a certain sense, like executable files.
So you should accept them and load them into Emacs only from
trusted sources—just like you would do with a program
you install on your computer.
Make sure you know what you are doing before customizing
the variables which take off the default security brakes.
— User Option:
org-confirm-babel-evaluate
When set to t user is queried before code block
evaluation
- Following
shell and
elisp links
-
Org has two link types that can directly evaluate code (see
External
links). These links can be problematic because the code
to be evaluated is not visible.
— User Option:
org-confirm-shell-link-function
Function to queries user about shell link
execution.
— User Option:
org-confirm-elisp-link-function
Functions to query user for Emacs Lisp link
execution.
- Formulas in tables
- Formulas in tables (see The spreadsheet) are
code that is evaluated either by the calc interpreter,
or by the Emacs Lisp interpreter.