Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary

emacs-orgmode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary

From:	Ihor Radchenko
Subject:	Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Date:	Fri, 18 Aug 2023 08:43:35 +0000

Max Nikulin <manikulin@gmail.com> writes:

> On 13/08/2023 14:52, Ihor Radchenko wrote:
>> What do you think about creating a new API to built shell commands and
>> then using it across all the babel backends?
>
> I support the idea in general, but not its particular implementation as 
> `org-make-shell-command' in your patch.
>
> It does not address the issue I raised.
>
> #+begin_src sqlite :db '(literal "/tmp/ob.sqlite$(date 
>  >/tmp/ob-sqlite-vuln.log)")
>    select 1
> #+end_src

Handling lisp values in header arguments is much more general issue not
tied to ob-sql or even to running shell commands.

It should be addressed alongside with 
https://orgmode.org/list/87edsd5o89.fsf@localhost

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>

[Prev in Thread]

Current Thread

[Next in Thread]

[BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/11
- Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/13
  - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/17
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko <=
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/18
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/18
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/19
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/21
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/21
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/22
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/28
    - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Ihor Radchenko, 2023/08/29
    - [SECURITY] Shell expansion of babel header args (was: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands), Ihor Radchenko, 2023/08/21
  - Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands, Max Nikulin, 2023/08/17

Prev by Date: Re: [BUG] Error in data input and output format for org-columns--summary-estimate
Next by Date: Re: [patch] ox-latex.el: fix blank lines behavior in verse block
Previous by thread: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Next by thread: Re: [BUG][SECURITY] ob-sqlite header args allows execution of arbitrary shell commands
Index(es):
- Date
- Thread