* Info Catalog Prev org: Speed keys Up org: Miscellaneous Next org: Customization

org: Code evaluation security

 
 15.4 Code evaluation and security issues
 ========================================
 
 Org provides tools to work with the code snippets, including evaluating
 them.
 
    Running code on your machine always comes with a security risk.
 Badly written or malicious code can be executed on purpose or by
 accident.  Org has default settings which will only evaluate such code
 if you give explicit permission to do so, and as a casual user of these
 features you should leave these precautions intact.
 
    For people who regularly work with such code, the confirmation
 prompts can become annoying, and you might want to turn them off.  This
 can be done, but you must be aware of the risks that are involved.
 
    Code evaluation can happen under the following circumstances:
 
 Source code blocks
      Source code blocks can be evaluated during export, or when pressing
      ‘C-c C-c’ in the block.  The most important thing to realize here
      is that Org mode files which contain code snippets are, in a
      certain sense, like executable files.  So you should accept them
      and load them into Emacs only from trusted sources—just like you
      would do with a program you install on your computer.
 
      Make sure you know what you are doing before customizing the
      variables which take off the default security brakes.
 
       -- User Option: org-confirm-babel-evaluate
           When t (the default), the user is asked before every code
           block evaluation.  When ‘nil’, the user is not asked.  When
           set to a function, it is called with two arguments (language
           and body of the code block) and should return t to ask and
           ‘nil’ not to ask.
 
      For example, here is how to execute "ditaa" code (which is
      considered safe) without asking:
 
           (defun my-org-confirm-babel-evaluate (lang body)
             (not (string= lang "ditaa")))  ; don't ask for ditaa
           (setq org-confirm-babel-evaluate 'my-org-confirm-babel-evaluate)
 
 Following ‘shell’ and ‘elisp’ links
      Org has two link types that can directly evaluate code (See
      External links).  These links can be problematic because the code
      to be evaluated is not visible.
 
       -- User Option: org-confirm-shell-link-function
           Function to queries user about shell link execution.
       -- User Option: org-confirm-elisp-link-function
           Functions to query user for Emacs Lisp link execution.
 
 Formulas in tables
      Formulas in tables (SeeThe spreadsheet) are code that is
      evaluated either by the calc interpreter, or by the Emacs Lisp
      interpreter.
* Info Catalog Prev org: Speed keys Up org: Miscellaneous Next org: Customization