|
From: | Max Nikulin |
Subject: | Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands |
Date: | Fri, 18 Aug 2023 17:56:58 +0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 |
On 18/08/2023 15:43, Ihor Radchenko wrote:
Max Nikulin writes:#+begin_src sqlite :db '(literal "/tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)") select 1 #+end_srcHandling lisp values in header arguments is much more general issue not tied to ob-sql or even to running shell commands. It should be addressed alongside with https://orgmode.org/list/87edsd5o89.fsf@localhost
Ihor, this is a list, not an expression to be evaluated. There are some conditions to avoid user prompts for strings, lists, etc. They are considered safe.
This particular case is handled namely by ob-sqlite and the proposed function in org-macs.
[Prev in Thread] | Current Thread | [Next in Thread] |