Re: [PATCH] ob-maxima.el: Fix execution on MS Windows

[Max Nikulin]

On 30/12/2021 01:37, Nikolay Kudryavtsev wrote:
> If your temporary-file-directory is something like "/tmp/apostrophe'", 
> it would not work currently either. So apostrophe is a very special case 
> here.
>
> As for possible evaluation within the double quotes, while this is 
> theoretically possible, user sort of has to go out of his way to trigger 
> it, so the question is whether we should introduce any platform-specific 
> code to mitigate such an obscure case? Then we are also limited by 
> Maxima itself since it has to be able to read that path too and it's 
> very picky when it comes to file paths.

I am not a committer, so it is up to the maintainers to decide if your 
patch is suitable. My intention is to draw attention to the issue, 
however they may tolerate it.

I have not experimented with remote execution of babel code blocks using 
tramp, so I may be unaware of some specific, e.g. execution using ssh 
almost certainly assumes shell command and interface with list of 
arguments may not be available.

When some external data is substituted into a Maxima command (batchload 
this case) there should be an extra pass of escaping that protects 
special characters like quotes (and backslashes?) accordingly to Maxima 
rules.

I expect that %S formatter does a trick by adding quotes around the 
string argument and adding backslashes before quote characters and 
backslashes inside. I suspect that quotes your added around %S must not 
be used there. Due to them file name appears outside of quotes at all. 
This error is hidden unless at least a space character presents in 
temporary directory path.

Unsure concerning Maxima but usually it is possible to pass arguments 
avoiding quoting issues for particular language. A couple of examples 
with inline code snippets

emacs -Q --batch --eval '(message "bl(%S)$" (car argv))' 'a"b\c.txt'
sh -c 'printf "bl(%s)\$\n" "$1"' 'sh' 'a"bc\d.txt'

Maybe there is a way to pass file name as a separate argument (without 
combining it with command) to Maxima as well.

In my opinion, platform-specific code should be avoided when possible. 
Even `shell-quote-argument' may be better. I would prefer e.g. 
`call-process' from info "(elisp) Synchronous Processes" 
https://www.gnu.org/software/emacs/manual/html_node/elisp/Synchronous-Processes.html 
, but I am realizing that it may require more changes in babel or even 
to cause problems with tramp.

Double quotes open issues with injection of commands in backticks `rm 
something`, $variable expansion and other constructs. I hope, 
`shell-quote-argument' is reliable enough.

P.S.
https://xkcd.com/327/ Exploits of a Mom