emacs-orgmode
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

From: Max Nikulin
Subject: Re: [PATCH] Fix ob-latex.el command injection vulnerability.
Date: Thu, 9 Mar 2023 23:29:41 +0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 
On 09/03/2023 19:22, Ihor Radchenko wrote:

lux writes:

Hi, this is a new patch, let me briefly explain this patch:
Thank you for scratching my itch related to unsafe shell commands in Org Mode. 


2. `org-babel-latex-convert-pdf' is not safe, simple test:

...

I am not sure if blindly adding `shell-quote-argument' is safe here.


I believe, first hunk still can be committed.


      (shell-command cmd)))


im-in-options and im-out-options, according to
https://orgmode.org/worg/org-contrib/babel/languages/ob-doc-LaTeX.html,
are options passed to ImageMagick.


ImageMagick is disaster per se.
Ideally `call-process' or `process-file' should be here instead of `shell-command' making `shell-quote-argument' unnecessary. Sorry, it is not clear for me if remote files (e.g. /ssh:...) are supported here. Unfortunately options as a string, not as a list, means compatibility issue. `split-string-and-unquote' may cause new bugs.
I have not evaluated it yet, but from discussions on this list I have an impression that some LaTeX packages need to run external commands. I am unsure to which degree it is safe or it may be easily exploited.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]