[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Fix ob-latex.el command injection vulnerability.
|
From: |
lux |
|
Subject: |
Re: [PATCH] Fix ob-latex.el command injection vulnerability. |
|
Date: |
Wed, 08 Mar 2023 23:42:58 +0800 |
|
User-agent: |
Evolution 3.46.4 (3.46.4-1.fc37) |
On Tue, 2023-03-07 at 22:31 +0700, Max Nikulin wrote:
> On 06/03/2023 10:17, lux wrote:
> > On Sat, 2023-02-18 at 11:43 +0000, Ihor Radchenko wrote:
> > >
> > > I think should be (rename-file img-out out-file t)
> >
> > Fixed, thank you.
>
> There are a couple more mv shell commands in ob-latex.el. It would be
> nice to fix them as well. Sorry, I have not checked it earlier. Are
> you
> still interested in this topic? I hope, you already have examples
> that
> can be used to quickly test if modified code works as expected.
Hi, this is a new patch, let me briefly explain this patch:
1. Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.
2. `org-babel-latex-convert-pdf' is not safe, simple test:
(org-babel-latex-convert-pdf ";id;.tex" ";uname;.pdf" "" "")
So, add `shell-quote-argument' to each external parameter.
0001-lisp-ob-latex.el-Fix-command-injection-vulnerability.patch
Description: Text Data
Re: [PATCH] Fix ob-latex.el command injection vulnerability., Max Nikulin, 2023/03/07
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., lux, 2023/03/07
- Re: [PATCH] Fix ob-latex.el command injection vulnerability.,
lux <=
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., Ihor Radchenko, 2023/03/09
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., Max Nikulin, 2023/03/09
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., lux, 2023/03/11
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., Ihor Radchenko, 2023/03/11
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., lux, 2023/03/11
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., Ihor Radchenko, 2023/03/12