[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

From: Max Nikulin
Subject: Re: [PATCH] Fix ob-latex.el command injection vulnerability.
Date: Thu, 9 Mar 2023 23:29:41 +0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1

On 09/03/2023 19:22, Ihor Radchenko wrote:
lux writes:
Hi, this is a new patch, let me briefly explain this patch:

Thank you for scratching my itch related to unsafe shell commands in Org Mode.

2. `org-babel-latex-convert-pdf' is not safe, simple test:
I am not sure if blindly adding `shell-quote-argument' is safe here.

I believe, first hunk still can be committed.

      (shell-command cmd)))

im-in-options and im-out-options, according to
are options passed to ImageMagick.

ImageMagick is disaster per se.

Ideally `call-process' or `process-file' should be here instead of `shell-command' making `shell-quote-argument' unnecessary. Sorry, it is not clear for me if remote files (e.g. /ssh:...) are supported here. Unfortunately options as a string, not as a list, means compatibility issue. `split-string-and-unquote' may cause new bugs.

I have not evaluated it yet, but from discussions on this list I have an impression that some LaTeX packages need to run external commands. I am unsure to which degree it is safe or it may be easily exploited.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]