all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [PATCH] ox-latex: Make more variables file local safe
@ 2024-02-09 14:29 gerard.vermeulen
  2024-02-09 23:04 ` Ihor Radchenko
  0 siblings, 1 reply; 4+ messages in thread
From: gerard.vermeulen @ 2024-02-09 14:29 UTC (permalink / raw)
  To: Emacs orgmode, Ihor Radchenko

[-- Attachment #1: Type: text/plain, Size: 312 bytes --]

Hi,

I have a direct use for org-latex-toc-command being a file local
safe variable and I looked a bit around for other variables not
being file local safe for no good reason IMO (why those not,
while similar variables yes).

I have attached a patch which makes six variables file local safe.

Regards -- Gerard

[-- Attachment #2: 0001-ox-latex-Make-more-variables-file-local-safe.patch --]
[-- Type: application/octet-stream, Size: 2571 bytes --]

From 886c5d82e39b60398dd890999a5ef2ce9d358761 Mon Sep 17 00:00:00 2001
From: Gerard Vermeulen <gerard.vermeulen@posteo.net>
Date: Fri, 9 Feb 2024 15:07:31 +0100
Subject: [PATCH] ox-latex: Make more variables file local safe

* lisp/ox-latex.el (org-latex-subtitle-format):
(org-latex-subtitle-separate, org-latex-toc-command):
(org-latex-image-default-option, org-latex-image-default-width):
(org-latex-image-default-height): Make those variables safe file
local.
---
 lisp/ox-latex.el | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/lisp/ox-latex.el b/lisp/ox-latex.el
index e3edef3bd..93e0f08b8 100644
--- a/lisp/ox-latex.el
+++ b/lisp/ox-latex.el
@@ -597,14 +597,16 @@ which is replaced with the subtitle."
   :group 'org-export-latex
   :version "26.1"
   :package-version '(Org . "8.3")
-  :type '(string :tag "Format string"))
+  :type '(string :tag "Format string")
+  :safe #'stringp)
 
 (defcustom org-latex-subtitle-separate nil
   "Non-nil means the subtitle is not typeset as part of title."
   :group 'org-export-latex
   :version "26.1"
   :package-version '(Org . "8.3")
-  :type 'boolean)
+  :type 'boolean
+  :safe #'booleanp)
 
 (defcustom org-latex-toc-command "\\tableofcontents\n\n"
   "LaTeX command to set the table of contents, list of figures, etc.
@@ -612,7 +614,8 @@ This command only applies to the table of contents generated with the
 toc:t, toc:1, toc:2, toc:3, ... options, not to those generated with
 the #+TOC keyword."
   :group 'org-export-latex
-  :type 'string)
+  :type 'string
+  :safe #'stringp)
 
 (defcustom org-latex-hyperref-template
   "\\hypersetup{\n pdfauthor={%a},\n pdftitle={%t},\n pdfkeywords={%k},
@@ -717,7 +720,8 @@ The function result will be used in the section format string."
   :group 'org-export-latex
   :version "24.4"
   :package-version '(Org . "8.0")
-  :type 'string)
+  :type 'string
+  :safe #'stringp)
 
 (defcustom org-latex-image-default-width ".9\\linewidth"
   "Default width for images.
@@ -725,7 +729,8 @@ This value will not be used if a height is provided."
   :group 'org-export-latex
   :version "24.4"
   :package-version '(Org . "8.0")
-  :type 'string)
+  :type 'string
+  :safe #'stringp)
 
 (defcustom org-latex-image-default-scale ""
   "Default scale for images.
@@ -745,7 +750,8 @@ environment."
   :group 'org-export-latex
   :version "24.4"
   :package-version '(Org . "8.0")
-  :type 'string)
+  :type 'string
+  :safe #'stringp)
 
 (defcustom org-latex-default-figure-position "htbp"
   "Default position for LaTeX figures."
-- 
2.42.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] ox-latex: Make more variables file local safe
  2024-02-09 14:29 [PATCH] ox-latex: Make more variables file local safe gerard.vermeulen
@ 2024-02-09 23:04 ` Ihor Radchenko
  2024-02-10 13:25   ` gerard.vermeulen
  0 siblings, 1 reply; 4+ messages in thread
From: Ihor Radchenko @ 2024-02-09 23:04 UTC (permalink / raw)
  To: gerard.vermeulen; +Cc: Emacs orgmode

gerard.vermeulen@posteo.net writes:

> I have a direct use for org-latex-toc-command being a file local
> safe variable and I looked a bit around for other variables not
> being file local safe for no good reason IMO (why those not,
> while similar variables yes).
>
> I have attached a patch which makes six variables file local safe.

Thanks! I agree about all but org-latex-toc-command.
Although, I am not sure if org-latex-toc-command is really safe to set
to arbitrary value.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ox-latex: Make more variables file local safe
  2024-02-09 23:04 ` Ihor Radchenko
@ 2024-02-10 13:25   ` gerard.vermeulen
  2024-02-10 14:56     ` Ihor Radchenko
  0 siblings, 1 reply; 4+ messages in thread
From: gerard.vermeulen @ 2024-02-10 13:25 UTC (permalink / raw)
  To: Ihor Radchenko; +Cc: Emacs orgmode

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]



On 10.02.2024 00:04, Ihor Radchenko wrote:
> gerard.vermeulen@posteo.net writes:
> 
>> I have a direct use for org-latex-toc-command being a file local
>> safe variable and I looked a bit around for other variables not
>> being file local safe for no good reason IMO (why those not,
>> while similar variables yes).
>> 
>> I have attached a patch which makes six variables file local safe.
> 
> Thanks! I agree about all but org-latex-toc-command.
> Although, I am not sure if org-latex-toc-command is really safe to set
> to arbitrary value.

You are right, it is not safe, BUT:

The attached org file (not really malicious) shows how to create a 
malicious
org file for any file local "safe" string variable in ox-latex when 
exporting
to latex and compiling with the -shell-escape option.

Therefore, I attached a patch removing the :safe #'stringp from those
variables.

[-- Attachment #2: malicious.org --]
[-- Type: application/octet-stream, Size: 923 bytes --]

#+title: Malicious?
#+subtitle: ls -l
#+options: timestamp:nil
#+latex_header: \usepackage{minted}

* Test
:PROPERTIES:
:CUSTOM_ID: sec:test
:END:

Test [[#sec:test]] reference.

#+caption: Org Unicorn image.
[[./Org-mode-unicorn.png]]

#+begin_quote
Is replacing {quote} with {\ShellEscape{ls -l}} safe?
#+end_quote

# Candidates to test one by one:
# Unsafe candidates which are not safe upstream:
# org-latex-toc-command: "\\tableofcontents\n\\ShellEscape{ls -l}\n"
# org-latex-subtitle-format: " \\ShellEscape{%s}"
# org-latex-image-default-width: "\\ShellEscape{ls -l}"

# Candidates declared safe upstream which are not safe using worse than this:
# org-latex-image-default-scale: "\\ShellEscape{ls -l}"
# org-latex-default-figure-position: "\\ShellEscape{ls -l}"
# org-latex-reference-command: "\\ShellEscape{ls -l} \\ref{%s}"

# Local Variables:
# org-latex-default-quote-environment: "\\ShellEscape{ls -l}"
# End:

[-- Attachment #3: 0001-ox-latex-string-variables-are-not-file-local-safe.patch --]
[-- Type: application/octet-stream, Size: 1973 bytes --]

From 54d8515e5bacdd3daa4505c3ec0fc80b57e80ed0 Mon Sep 17 00:00:00 2001
From: Gerard Vermeulen <gerard.vermeulen@posteo.net>
Date: Sat, 10 Feb 2024 14:04:55 +0100
Subject: [PATCH] ox-latex: string variables are not file local safe

* lisp/ox-latex.el (org-latex-default-figure-position):
(org-latex-default-quote-environment, org-latex-image-default-scale):
(org-latex-reference-command): file local safe string variables allow
to write Org files allowing to inject any command.

Link: https://list.orgmode.org/ffa77c01d47b15dfc0ae687cab95fb01@posteo.net/
---
 lisp/ox-latex.el | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/lisp/ox-latex.el b/lisp/ox-latex.el
index 937cbac2c..cfa2b8178 100644
--- a/lisp/ox-latex.el
+++ b/lisp/ox-latex.el
@@ -413,8 +413,7 @@ use of a package such as hyperref or cleveref and then change the format string
 to \"\\autoref{%s}\" or \"\\cref{%s}\" for example."
   :group 'org-export-latex
   :type 'string
-  :package-version '(Org . "9.5")
-  :safe #'stringp)
+  :package-version '(Org . "9.5"))
 
 ;;;; Preamble
 
@@ -734,8 +733,7 @@ or if the image is wrapped within a \"wrapfigure\" environment.
 Scale overrides width and height."
   :group 'org-export-latex
   :package-version '(Org . "9.3")
-  :type 'string
-  :safe #'stringp)
+  :type 'string)
 
 (defcustom org-latex-image-default-height ""
   "Default height for images.
@@ -752,8 +750,7 @@ environment."
   :group 'org-export-latex
   :type 'string
   :version "26.1"
-  :package-version '(Org . "9.0")
-  :safe #'stringp)
+  :package-version '(Org . "9.0"))
 
 (defcustom org-latex-inline-image-rules
   `(("file" . ,(rx "."
@@ -797,8 +794,7 @@ default we use here encompasses both."
   "Default environment used to `quote' blocks."
   :group 'org-export-latex
   :package-version '(Org . "9.5")
-  :type 'string
-  :safe #'stringp)
+  :type 'string)
 
 (defcustom org-latex-default-table-mode 'table
   "Default mode for tables.
-- 
2.42.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] ox-latex: Make more variables file local safe
  2024-02-10 13:25   ` gerard.vermeulen
@ 2024-02-10 14:56     ` Ihor Radchenko
  0 siblings, 0 replies; 4+ messages in thread
From: Ihor Radchenko @ 2024-02-10 14:56 UTC (permalink / raw)
  To: gerard.vermeulen; +Cc: Emacs orgmode

gerard.vermeulen@posteo.net writes:

> Therefore, I attached a patch removing the :safe #'stringp from those
> variables.

Thanks!
Applied, onto main.
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=80e7c9f80

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-02-10 14:54 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-09 14:29 [PATCH] ox-latex: Make more variables file local safe gerard.vermeulen
2024-02-09 23:04 ` Ihor Radchenko
2024-02-10 13:25   ` gerard.vermeulen
2024-02-10 14:56     ` Ihor Radchenko

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.