[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

From: lux
Subject: Re: [PATCH] Fix ob-latex.el command injection vulnerability.
Date: Wed, 08 Mar 2023 23:42:58 +0800
User-agent: Evolution 3.46.4 (3.46.4-1.fc37)

On Tue, 2023-03-07 at 22:31 +0700, Max Nikulin wrote:
> On 06/03/2023 10:17, lux wrote:
> > On Sat, 2023-02-18 at 11:43 +0000, Ihor Radchenko wrote:
> > > 
> > > I think should be (rename-file img-out out-file t)
> > 
> > Fixed, thank you.
> There are a couple more mv shell commands in ob-latex.el. It would be
> nice to fix them as well. Sorry, I have not checked it earlier. Are
> you 
> still interested in this topic? I hope, you already have examples
> that 
> can be used to quickly test if modified code works as expected.

Hi, this is a new patch, let me briefly explain this patch:

1. Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.

2. `org-babel-latex-convert-pdf' is not safe, simple test:

        (org-babel-latex-convert-pdf ";id;.tex" ";uname;.pdf" "" "")

So, add `shell-quote-argument' to each external parameter.

Attachment: 0001-lisp-ob-latex.el-Fix-command-injection-vulnerability.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]