Re: [PATCH] Fix ob-latex.el command injection vulnerability.

[Ihor Radchenko]

lux <lx@shellcodes.org> writes:

> Hi, this is a new patch, let me briefly explain this patch:

Thanks!

> 2. `org-babel-latex-convert-pdf' is not safe, simple test:
>
>       (org-babel-latex-convert-pdf ";id;.tex" ";uname;.pdf" "" "")
>
> So, add `shell-quote-argument' to each external parameter.

I am not sure if blindly adding `shell-quote-argument' is safe here.

>  (defun org-babel-latex-convert-pdf (pdffile out-file im-in-options 
> im-out-options)
>    "Generate a file from a pdf file using imagemagick."
> -  (let ((cmd (concat "convert " im-in-options " " pdffile " "
> -                  im-out-options " " out-file)))
> +  (let ((cmd (concat "convert " (shell-quote-argument im-in-options) " "
> +                     (shell-quote-argument pdffile) " "
> +                  (shell-quote-argument im-out-options) " "
> +                     (shell-quote-argument out-file))))
>      (message "Converting pdffile file %s..." cmd)
>      (shell-command cmd)))

im-in-options and im-out-options, according to
https://orgmode.org/worg/org-contrib/babel/languages/ob-doc-LaTeX.html,
are options passed to ImageMagick.

However, for example, (shell-quote-argument "-enhance -strip") will
return "-enhance\\ -strip", which is not what we want.

Similar problem with other instances of `shell-command' in Org where
header args supply command line arguments. Like in :cmdline.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>