* [PATCH] ox-latex: Make more variables file local safe
@ 2024-02-09 14:29 gerard.vermeulen
2024-02-09 23:04 ` Ihor Radchenko
0 siblings, 1 reply; 4+ messages in thread
From: gerard.vermeulen @ 2024-02-09 14:29 UTC (permalink / raw)
To: Emacs orgmode, Ihor Radchenko
[-- Attachment #1: Type: text/plain, Size: 312 bytes --]
Hi,
I have a direct use for org-latex-toc-command being a file local
safe variable and I looked a bit around for other variables not
being file local safe for no good reason IMO (why those not,
while similar variables yes).
I have attached a patch which makes six variables file local safe.
Regards -- Gerard
[-- Attachment #2: 0001-ox-latex-Make-more-variables-file-local-safe.patch --]
[-- Type: application/octet-stream, Size: 2571 bytes --]
From 886c5d82e39b60398dd890999a5ef2ce9d358761 Mon Sep 17 00:00:00 2001
From: Gerard Vermeulen <gerard.vermeulen@posteo.net>
Date: Fri, 9 Feb 2024 15:07:31 +0100
Subject: [PATCH] ox-latex: Make more variables file local safe
* lisp/ox-latex.el (org-latex-subtitle-format):
(org-latex-subtitle-separate, org-latex-toc-command):
(org-latex-image-default-option, org-latex-image-default-width):
(org-latex-image-default-height): Make those variables safe file
local.
---
lisp/ox-latex.el | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/lisp/ox-latex.el b/lisp/ox-latex.el
index e3edef3bd..93e0f08b8 100644
--- a/lisp/ox-latex.el
+++ b/lisp/ox-latex.el
@@ -597,14 +597,16 @@ which is replaced with the subtitle."
:group 'org-export-latex
:version "26.1"
:package-version '(Org . "8.3")
- :type '(string :tag "Format string"))
+ :type '(string :tag "Format string")
+ :safe #'stringp)
(defcustom org-latex-subtitle-separate nil
"Non-nil means the subtitle is not typeset as part of title."
:group 'org-export-latex
:version "26.1"
:package-version '(Org . "8.3")
- :type 'boolean)
+ :type 'boolean
+ :safe #'booleanp)
(defcustom org-latex-toc-command "\\tableofcontents\n\n"
"LaTeX command to set the table of contents, list of figures, etc.
@@ -612,7 +614,8 @@ This command only applies to the table of contents generated with the
toc:t, toc:1, toc:2, toc:3, ... options, not to those generated with
the #+TOC keyword."
:group 'org-export-latex
- :type 'string)
+ :type 'string
+ :safe #'stringp)
(defcustom org-latex-hyperref-template
"\\hypersetup{\n pdfauthor={%a},\n pdftitle={%t},\n pdfkeywords={%k},
@@ -717,7 +720,8 @@ The function result will be used in the section format string."
:group 'org-export-latex
:version "24.4"
:package-version '(Org . "8.0")
- :type 'string)
+ :type 'string
+ :safe #'stringp)
(defcustom org-latex-image-default-width ".9\\linewidth"
"Default width for images.
@@ -725,7 +729,8 @@ This value will not be used if a height is provided."
:group 'org-export-latex
:version "24.4"
:package-version '(Org . "8.0")
- :type 'string)
+ :type 'string
+ :safe #'stringp)
(defcustom org-latex-image-default-scale ""
"Default scale for images.
@@ -745,7 +750,8 @@ environment."
:group 'org-export-latex
:version "24.4"
:package-version '(Org . "8.0")
- :type 'string)
+ :type 'string
+ :safe #'stringp)
(defcustom org-latex-default-figure-position "htbp"
"Default position for LaTeX figures."
--
2.42.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ox-latex: Make more variables file local safe
2024-02-09 14:29 [PATCH] ox-latex: Make more variables file local safe gerard.vermeulen
@ 2024-02-09 23:04 ` Ihor Radchenko
2024-02-10 13:25 ` gerard.vermeulen
0 siblings, 1 reply; 4+ messages in thread
From: Ihor Radchenko @ 2024-02-09 23:04 UTC (permalink / raw)
To: gerard.vermeulen; +Cc: Emacs orgmode
gerard.vermeulen@posteo.net writes:
> I have a direct use for org-latex-toc-command being a file local
> safe variable and I looked a bit around for other variables not
> being file local safe for no good reason IMO (why those not,
> while similar variables yes).
>
> I have attached a patch which makes six variables file local safe.
Thanks! I agree about all but org-latex-toc-command.
Although, I am not sure if org-latex-toc-command is really safe to set
to arbitrary value.
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] ox-latex: Make more variables file local safe
2024-02-09 23:04 ` Ihor Radchenko
@ 2024-02-10 13:25 ` gerard.vermeulen
2024-02-10 14:56 ` Ihor Radchenko
0 siblings, 1 reply; 4+ messages in thread
From: gerard.vermeulen @ 2024-02-10 13:25 UTC (permalink / raw)
To: Ihor Radchenko; +Cc: Emacs orgmode
[-- Attachment #1: Type: text/plain, Size: 875 bytes --]
On 10.02.2024 00:04, Ihor Radchenko wrote:
> gerard.vermeulen@posteo.net writes:
>
>> I have a direct use for org-latex-toc-command being a file local
>> safe variable and I looked a bit around for other variables not
>> being file local safe for no good reason IMO (why those not,
>> while similar variables yes).
>>
>> I have attached a patch which makes six variables file local safe.
>
> Thanks! I agree about all but org-latex-toc-command.
> Although, I am not sure if org-latex-toc-command is really safe to set
> to arbitrary value.
You are right, it is not safe, BUT:
The attached org file (not really malicious) shows how to create a
malicious
org file for any file local "safe" string variable in ox-latex when
exporting
to latex and compiling with the -shell-escape option.
Therefore, I attached a patch removing the :safe #'stringp from those
variables.
[-- Attachment #2: malicious.org --]
[-- Type: application/octet-stream, Size: 923 bytes --]
#+title: Malicious?
#+subtitle: ls -l
#+options: timestamp:nil
#+latex_header: \usepackage{minted}
* Test
:PROPERTIES:
:CUSTOM_ID: sec:test
:END:
Test [[#sec:test]] reference.
#+caption: Org Unicorn image.
[[./Org-mode-unicorn.png]]
#+begin_quote
Is replacing {quote} with {\ShellEscape{ls -l}} safe?
#+end_quote
# Candidates to test one by one:
# Unsafe candidates which are not safe upstream:
# org-latex-toc-command: "\\tableofcontents\n\\ShellEscape{ls -l}\n"
# org-latex-subtitle-format: " \\ShellEscape{%s}"
# org-latex-image-default-width: "\\ShellEscape{ls -l}"
# Candidates declared safe upstream which are not safe using worse than this:
# org-latex-image-default-scale: "\\ShellEscape{ls -l}"
# org-latex-default-figure-position: "\\ShellEscape{ls -l}"
# org-latex-reference-command: "\\ShellEscape{ls -l} \\ref{%s}"
# Local Variables:
# org-latex-default-quote-environment: "\\ShellEscape{ls -l}"
# End:
[-- Attachment #3: 0001-ox-latex-string-variables-are-not-file-local-safe.patch --]
[-- Type: application/octet-stream, Size: 1973 bytes --]
From 54d8515e5bacdd3daa4505c3ec0fc80b57e80ed0 Mon Sep 17 00:00:00 2001
From: Gerard Vermeulen <gerard.vermeulen@posteo.net>
Date: Sat, 10 Feb 2024 14:04:55 +0100
Subject: [PATCH] ox-latex: string variables are not file local safe
* lisp/ox-latex.el (org-latex-default-figure-position):
(org-latex-default-quote-environment, org-latex-image-default-scale):
(org-latex-reference-command): file local safe string variables allow
to write Org files allowing to inject any command.
Link: https://list.orgmode.org/ffa77c01d47b15dfc0ae687cab95fb01@posteo.net/
---
lisp/ox-latex.el | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/lisp/ox-latex.el b/lisp/ox-latex.el
index 937cbac2c..cfa2b8178 100644
--- a/lisp/ox-latex.el
+++ b/lisp/ox-latex.el
@@ -413,8 +413,7 @@ use of a package such as hyperref or cleveref and then change the format string
to \"\\autoref{%s}\" or \"\\cref{%s}\" for example."
:group 'org-export-latex
:type 'string
- :package-version '(Org . "9.5")
- :safe #'stringp)
+ :package-version '(Org . "9.5"))
;;;; Preamble
@@ -734,8 +733,7 @@ or if the image is wrapped within a \"wrapfigure\" environment.
Scale overrides width and height."
:group 'org-export-latex
:package-version '(Org . "9.3")
- :type 'string
- :safe #'stringp)
+ :type 'string)
(defcustom org-latex-image-default-height ""
"Default height for images.
@@ -752,8 +750,7 @@ environment."
:group 'org-export-latex
:type 'string
:version "26.1"
- :package-version '(Org . "9.0")
- :safe #'stringp)
+ :package-version '(Org . "9.0"))
(defcustom org-latex-inline-image-rules
`(("file" . ,(rx "."
@@ -797,8 +794,7 @@ default we use here encompasses both."
"Default environment used to `quote' blocks."
:group 'org-export-latex
:package-version '(Org . "9.5")
- :type 'string
- :safe #'stringp)
+ :type 'string)
(defcustom org-latex-default-table-mode 'table
"Default mode for tables.
--
2.42.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ox-latex: Make more variables file local safe
2024-02-10 13:25 ` gerard.vermeulen
@ 2024-02-10 14:56 ` Ihor Radchenko
0 siblings, 0 replies; 4+ messages in thread
From: Ihor Radchenko @ 2024-02-10 14:56 UTC (permalink / raw)
To: gerard.vermeulen; +Cc: Emacs orgmode
gerard.vermeulen@posteo.net writes:
> Therefore, I attached a patch removing the :safe #'stringp from those
> variables.
Thanks!
Applied, onto main.
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=80e7c9f80
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-10 14:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-09 14:29 [PATCH] ox-latex: Make more variables file local safe gerard.vermeulen
2024-02-09 23:04 ` Ihor Radchenko
2024-02-10 13:25 ` gerard.vermeulen
2024-02-10 14:56 ` Ihor Radchenko
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.