* [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output @ 2010-11-09 16:58 Christopher Allan Webber 2010-11-09 17:07 ` Christopher Allan Webber 0 siblings, 1 reply; 4+ messages in thread From: Christopher Allan Webber @ 2010-11-09 16:58 UTC (permalink / raw) To: emacs-orgmode Strings with quotes in them aren't having the inner quotes escaped right while read by ob-python in python. Example: #+BEGIN_SRC python return [['607', 'Show license short name on the deed'], ['255', '"Smart" 404 pages']] #+END_SRC #+results: | 607 | Show license short name on the deed | | | | 255 | | Smart | 404 pages | ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output 2010-11-09 16:58 [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output Christopher Allan Webber @ 2010-11-09 17:07 ` Christopher Allan Webber 2010-11-09 22:34 ` Christopher Allan Webber 0 siblings, 1 reply; 4+ messages in thread From: Christopher Allan Webber @ 2010-11-09 17:07 UTC (permalink / raw) To: emacs-orgmode It looks like \' and " are not being escaped in org-babel-python-table-or-string, which is the problem. Christopher Allan Webber <cwebber@dustycloud.org> writes: > Strings with quotes in them aren't having the inner quotes escaped right > while read by ob-python in python. Example: > > #+BEGIN_SRC python > return [['607', 'Show license short name on the deed'], > ['255', '"Smart" 404 pages']] > #+END_SRC > > #+results: > | 607 | Show license short name on the deed | | | > | 255 | | Smart | 404 pages | > > > > _______________________________________________ > Emacs-orgmode mailing list > Please use `Reply All' to send replies to the list. > Emacs-orgmode@gnu.org > http://lists.gnu.org/mailman/listinfo/emacs-orgmode ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output 2010-11-09 17:07 ` Christopher Allan Webber @ 2010-11-09 22:34 ` Christopher Allan Webber 2010-11-23 1:57 ` Eric Schulte 0 siblings, 1 reply; 4+ messages in thread From: Christopher Allan Webber @ 2010-11-09 22:34 UTC (permalink / raw) To: emacs-orgmode I worry about this a bit because of the possible security issue: the ability to execute arbitrary code, since the structure that gets constructed is eval'ed. eg: #+BEGIN_SRC python return [['607', 'Show license short name on the deed'], ['255', "'))(message (concat 'hello ' 'world"]] #+END_SRC That constructs a set of listp objects which are evaluated and look like: '(("607" "Show license short name on the deed") ("255" "")) (message (concat "hello " "world")) It doesn't seem like the second one is being evaluated but it makes me nervous that it's being passed through eval like this at all. Christopher Allan Webber <cwebber@dustycloud.org> writes: > It looks like \' and " are not being escaped in > org-babel-python-table-or-string, which is the problem. > > Christopher Allan Webber <cwebber@dustycloud.org> writes: > >> Strings with quotes in them aren't having the inner quotes escaped right >> while read by ob-python in python. Example: >> >> #+BEGIN_SRC python >> return [['607', 'Show license short name on the deed'], >> ['255', '"Smart" 404 pages']] >> #+END_SRC >> >> #+results: >> | 607 | Show license short name on the deed | | | >> | 255 | | Smart | 404 pages | >> >> >> >> _______________________________________________ >> Emacs-orgmode mailing list >> Please use `Reply All' to send replies to the list. >> Emacs-orgmode@gnu.org >> http://lists.gnu.org/mailman/listinfo/emacs-orgmode > > _______________________________________________ > Emacs-orgmode mailing list > Please use `Reply All' to send replies to the list. > Emacs-orgmode@gnu.org > http://lists.gnu.org/mailman/listinfo/emacs-orgmode ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output 2010-11-09 22:34 ` Christopher Allan Webber @ 2010-11-23 1:57 ` Eric Schulte 0 siblings, 0 replies; 4+ messages in thread From: Eric Schulte @ 2010-11-23 1:57 UTC (permalink / raw) To: Christopher Allan Webber; +Cc: emacs-orgmode Hi, Thanks for raising this issue up. While I don't consider it a security issue (code blocks are already executing arbitrary code on your system), it is certainly a failure in the parsing of input from scripting languages (actually any language which has single-quote delimited strings). I just pushed up a fix which should resolve these issues (and some related issues) in ruby python and Haskell. The following example now executes as expected for me. Thanks for the report -- Eric ** reading from single-quote-delim languages #+BEGIN_SRC python return [['607', 'Show license short, name on the deed'], ['255', "'(message (concat 'hello ' 'world))"]] #+END_SRC #+results: | 607 | Show license short, name on the deed | | 255 | '(message (concat 'hello ' 'world)) | #+begin_src ruby [['607', 'Show license, short name on the deed'], ['255', "))'(message (concat 'hello ' 'world"]] #+end_src #+results: | 607 | Show license, short name on the deed | | 255 | ))'(message (concat 'hello ' 'world | #+begin_src haskell [["'single quotes'", "b"], ["\"double quotes\"", "d"]] #+end_src #+results: | 'single quotes' | b | | "double quotes" | d | Christopher Allan Webber <cwebber@dustycloud.org> writes: > I worry about this a bit because of the possible security issue: the > ability to execute arbitrary code, since the structure that gets > constructed is eval'ed. > > eg: > > #+BEGIN_SRC python > return [['607', 'Show license short name on the deed'], > ['255', "'))(message (concat 'hello ' 'world"]] > #+END_SRC > > That constructs a set of listp objects which are evaluated and look > like: > > '(("607" "Show license short name on the deed") ("255" "")) > (message (concat "hello " "world")) > > It doesn't seem like the second one is being evaluated but it makes me > nervous that it's being passed through eval like this at all. > > Christopher Allan Webber <cwebber@dustycloud.org> writes: > >> It looks like \' and " are not being escaped in >> org-babel-python-table-or-string, which is the problem. >> >> Christopher Allan Webber <cwebber@dustycloud.org> writes: >> >>> Strings with quotes in them aren't having the inner quotes escaped right >>> while read by ob-python in python. Example: >>> >>> #+BEGIN_SRC python >>> return [['607', 'Show license short name on the deed'], >>> ['255', '"Smart" 404 pages']] >>> #+END_SRC >>> >>> #+results: >>> | 607 | Show license short name on the deed | | | >>> | 255 | | Smart | 404 pages | >>> >>> >>> >>> _______________________________________________ >>> Emacs-orgmode mailing list >>> Please use `Reply All' to send replies to the list. >>> Emacs-orgmode@gnu.org >>> http://lists.gnu.org/mailman/listinfo/emacs-orgmode >> >> _______________________________________________ >> Emacs-orgmode mailing list >> Please use `Reply All' to send replies to the list. >> Emacs-orgmode@gnu.org >> http://lists.gnu.org/mailman/listinfo/emacs-orgmode > > _______________________________________________ > Emacs-orgmode mailing list > Please use `Reply All' to send replies to the list. > Emacs-orgmode@gnu.org > http://lists.gnu.org/mailman/listinfo/emacs-orgmode ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-11-23 1:57 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-11-09 16:58 [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output Christopher Allan Webber 2010-11-09 17:07 ` Christopher Allan Webber 2010-11-09 22:34 ` Christopher Allan Webber 2010-11-23 1:57 ` Eric Schulte
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.