emacs-orgmode
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

From: Ihor Radchenko
Subject: Re: [PATCH] Fix ob-latex.el command injection vulnerability.
Date: Sat, 11 Mar 2023 10:47:52 +0000 
lux <lx@shellcodes.org> writes:

>> However, for example, (shell-quote-argument "-enhance -strip") will
>> return "-enhance\\ -strip", which is not what we want.
>> 
>> Similar problem with other instances of `shell-command' in Org where
>> header args supply command line arguments. Like in :cmdline.
>> 
>
> I think there is only a need to deal with the problem of `\\ ', for
> example:
>
> (string-replace "\\ " " " (shell-quote-argument im-in-options))

No. Quoting will also affect '"' and other '\'. We must not try to be
smart here. It will miss edge cases and be fragile in general.

> Any better suggestions? Thanks.

I am afraid that we cannot make things universally safe here without
breaking changes. The best way will be treating :cmd and similar header
args as unsafe and include them into the planned safety prompt system we
discussed in https://orgmode.org/list/87edsd5o89.fsf@localhost

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]