[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Fix ob-latex.el command injection vulnerability.
From: |
Ihor Radchenko |
Subject: |
Re: [PATCH] Fix ob-latex.el command injection vulnerability. |
Date: |
Thu, 09 Mar 2023 12:22:15 +0000 |
lux <lx@shellcodes.org> writes:
> Hi, this is a new patch, let me briefly explain this patch:
Thanks!
> 2. `org-babel-latex-convert-pdf' is not safe, simple test:
>
> (org-babel-latex-convert-pdf ";id;.tex" ";uname;.pdf" "" "")
>
> So, add `shell-quote-argument' to each external parameter.
I am not sure if blindly adding `shell-quote-argument' is safe here.
> (defun org-babel-latex-convert-pdf (pdffile out-file im-in-options
> im-out-options)
> "Generate a file from a pdf file using imagemagick."
> - (let ((cmd (concat "convert " im-in-options " " pdffile " "
> - im-out-options " " out-file)))
> + (let ((cmd (concat "convert " (shell-quote-argument im-in-options) " "
> + (shell-quote-argument pdffile) " "
> + (shell-quote-argument im-out-options) " "
> + (shell-quote-argument out-file))))
> (message "Converting pdffile file %s..." cmd)
> (shell-command cmd)))
im-in-options and im-out-options, according to
https://orgmode.org/worg/org-contrib/babel/languages/ob-doc-LaTeX.html,
are options passed to ImageMagick.
However, for example, (shell-quote-argument "-enhance -strip") will
return "-enhance\\ -strip", which is not what we want.
Similar problem with other instances of `shell-command' in Org where
header args supply command line arguments. Like in :cmdline.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
Re: [PATCH] Fix ob-latex.el command injection vulnerability., Max Nikulin, 2023/03/07
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., lux, 2023/03/07
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., lux, 2023/03/08
- Re: [PATCH] Fix ob-latex.el command injection vulnerability.,
Ihor Radchenko <=
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., Max Nikulin, 2023/03/09
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., lux, 2023/03/11
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., Ihor Radchenko, 2023/03/11
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., lux, 2023/03/11
- Re: [PATCH] Fix ob-latex.el command injection vulnerability., Ihor Radchenko, 2023/03/12