From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id DjmWOWy38GM6ZAAAbAwnHQ (envelope-from ) for ; Sat, 18 Feb 2023 12:33:01 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id iArkOGy38GMyUAAA9RJhRA (envelope-from ) for ; Sat, 18 Feb 2023 12:33:00 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 12B9D992D for ; Sat, 18 Feb 2023 12:32:59 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=qq.com header.s=s201512 header.b=ExWcmkwa; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1676719980; a=rsa-sha256; cv=none; b=KG8fF+LqUXV1VIYTJNMV/T+bOYNBJ2NpSlMgJMxg8JnN1/KrdfpyyrB0bZhfnoSZcFw5ji OjrW5udALr6lf3mcAZph5Il5ikyZqhdPgoojzoVYfgk9q2tCKkIWXPQH04wgZr5Au6cnGn 28ZCTd1ZOaE3OwlAATV0R6sN80y3zcnCqctx6Q57F1SfHN71Lksdc8W6SMfhO/Q5E3vUlL bJ2bO2Uez9jMbiJA9lF2qOmjzvqtcL839fPMys3eBE8HTjRdBjW3NRleg4IQdX33ro4Alv YGG7NGKul4o1u0OxfJ9U3zvN/4Yf8KyQMzlmTolxwAA1bYF6E92/L+cpmwvLSQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=qq.com header.s=s201512 header.b=ExWcmkwa; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1676719980; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=UlaFmudqXWghHmnpnO+f+PMGleshowge8BkAYEvXhPQ=; b=M72JA8LoKBZJGdm5Rjca8u8NKqpVr9njIiT0kXbG0BqrswIMDnh0wer/fjjBNiV7QfLcj1 XlUvMzVNe3OGjX761A8JzSxpz2MfL+HUKDo5aBsXlLcZuPiXQETIyRxFrHdyUVHYlm7h8i WgnbL7oyukLt/vj2ZQJ1zqt5YOmpQLeQgT38b0KNEcpu2pyYd6F81Ns9p42NTTRIjUNdnI WjYP7fTPlsaeMwp2tIwkgutxbWlgJm65ae+pTAgiONmIY1gKoBWPvYLWhwHAZ17pSEsEOm 5Xg1roChC9i79YwDHWPbfAZKeNKdyQGWdpOjjh/hbsPPFAYH8UUrmRnyWMUs0Q== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pTLRq-0008Nu-GD; Sat, 18 Feb 2023 06:32:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pTLRo-0008NX-Ck for emacs-orgmode@gnu.org; Sat, 18 Feb 2023 06:32:08 -0500 Received: from out203-205-221-236.mail.qq.com ([203.205.221.236]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pTLRl-0007DG-JP for emacs-orgmode@gnu.org; Sat, 18 Feb 2023 06:32:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1676719919; bh=UlaFmudqXWghHmnpnO+f+PMGleshowge8BkAYEvXhPQ=; h=Subject:From:To:Date:In-Reply-To:References; b=ExWcmkwawurmlJjwEJrV03WtMU7Fr9Fa1rCltzC0O+UAvxKQ1WLgdwUS37Z8IGg30 Yo+Em+5B2Xwyticx0d/rNtjxar2P0FBASS72kw/F9Zs10qmKRO0mf8c1BhE7vZIbr/ r97e3cII9eMLylMZmhviYbs2mOnKtJZy5NoT+0IA= Received: from [IPv6:240e:399:e6f:ee32:f815:4044:ba50:97f9] ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszc2-0.qq.com (NewEsmtp) with SMTP id 72912427; Sat, 18 Feb 2023 19:28:41 +0800 X-QQ-mid: xmsmtpt1676719721tm6muakxl Message-ID: X-QQ-XMAILINFO: Ne4egT1tKTBOjcwjRmYgBQjlt8e7WozM0eN6OPXbjQvJ2CDBQZKes6nuKDTha7 wxVbFlORUxbNPb1+6aZwB7l/AMNf6occ5v2SOyPMuEpN2ElFuiVszleVrTe3H7wjJUt3zLmih7nE WDYf/B8wz4/fmlipVMP9bJSH+hxPXZ8ePm6gQq1Mbc5mUDRHIBLCfRzX4i+PHKZ18TLm9w/OHXi8 W/wKz6GAmHsampd4LYSBgnE075QUZq4Q9P1MWQMwSKfY+tkutyZ9weTrm3AfvPsvk6GA6eoL7kfJ z6UDgFCux7YLh04MntFEC2+S3FwoL1yUYPcWMqV6E3pxUw/BHxu5svYC0stPS4T2LCBdAK0GN47q ZlvOkWal57770CmG3d+MUcsNyjD3w7TmgzwQ2CbyowdMGlTANJILPRFUaD+1AwIT6VgUsRWqtOmO tO7Okmt7xjvf54dW8ksozJ6r9vuJ+8DzTngHhq0knIAMNvFbnsEKt3uIHZl85pTRdXeHwBuBjCX/ PRAsZ7b/VJytAF7y3zvYENENKpqH0Fyh8owks4U9MbKrVq/XiF5p59oPMh8woJU9BRjRDkZy2qmp KFnJX+FKQpzmThf0GzoSff/eKGGObIWkfDzypnigaNNEwHgWpRIXQXnKAZOiVBoQXXSRYJ7zbhYO msFuL8QYfFYn/rDW6L7azFVWUFdKrSoIQuwOJmww51GuG6/gWOqit/NumpTcpYLdeNECM0u6zJXC VhyNhrhXqgSIQInVkeBc58sKzC7gHDThl3idWI2Xu/9hIedqIIcYfY7SFMMPLjeQ7EbAlunREjlv psJwp5tQqRa6xuVkZUnczfQ/znXKEsk+7eL10ISQQ+7X570/tF1TK8WWdwPAp/stWBiGQwkgRcIc RK1p5n4cpY/vYOWDZ19KcpEZfMbsfOJNG1SHcKSkHoaECNKPezIDTuiyi3Xnlu4K7np8VZc8wCTu klGKIAJ70QO+x96fzcDbpM5KsbhV4r3iP5g0Mz7Vs= X-OQ-MSGID: <19d4d6003d393ef0cac0ce4304612c91c2d6d565.camel@shellcodes.org> Subject: Re: [PATCH] Fix ob-latex.el command injection vulnerability. From: lux To: Max Nikulin , emacs-orgmode@gnu.org Date: Sat, 18 Feb 2023 19:28:40 +0800 In-Reply-To: References: Content-Type: multipart/mixed; boundary="=-kli4KfitbKPn8wohpmye" User-Agent: Evolution 3.46.3 (3.46.3-1.fc37) MIME-Version: 1.0 Received-SPF: none client-ip=203.205.221.236; envelope-from=lx@shellcodes.org; helo=out203-205-221-236.mail.qq.com X-Spam_score_int: 44 X-Spam_score: 4.4 X-Spam_bar: ++++ X-Spam_report: (4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SBL_CSS=3.335, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: X-Migadu-Queue-Id: 12B9D992D X-Spam-Score: -1.49 X-Migadu-Spam-Score: -1.49 X-Migadu-Scanner: scn0.migadu.com List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-TUID: qiM+dgWEltpp --=-kli4KfitbKPn8wohpmye Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2023-02-18 at 18:15 +0700, Max Nikulin wrote: > On 18/02/2023 17:08, lux wrote: > > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 (shell-command (format "mv %s %s" img-out out- > > file))))) > > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 (shell-command (format "mv %s %s" (shell-quote- > > argument img-out) (shell-quote-argument out-file)))))) >=20 > Thank you for the patch. Certainly it is an improvement. >=20 > Is there any reason why `rename-file' should be avoided here? I just=20 > have discovered this function, so I am unaware of possible pitfalls. >=20 > (info "(elisp) Changing-Files") > https://www.gnu.org/software/emacs/manual/html_node/elisp/Changing-Files.= html#index-rename_002dfile I think using `rename-file' is good idea. We should use the Emacs built-in functions as much as possible instead of external shell commands, becueas these more security. --=-kli4KfitbKPn8wohpmye Content-Disposition: attachment; filename*0=0001-lisp-ob-latex.el-org-babel-execute-latex-Fix-command.pat; filename*1=ch Content-Type: text/x-patch; name="0001-lisp-ob-latex.el-org-babel-execute-latex-Fix-command.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBhZGMwYzU1OGIxYjA5MWJiNGJlZjc3OTAxNjMzZjMxMzQ0YjczOTFhIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFNhdCwg MTggRmViIDIwMjMgMTg6MDM6MjggKzA4MDAKU3ViamVjdDogW1BBVENIXSAqIGxpc3Avb2ItbGF0 ZXguZWwgKG9yZy1iYWJlbC1leGVjdXRlOmxhdGV4KTogRml4IGNvbW1hbmQKIGluamVjdGlvbiB2 dWxuZXJhYmlsaXR5LgoKLS0tCiBsaXNwL29iLWxhdGV4LmVsIHwgMiArLQogMSBmaWxlIGNoYW5n ZWQsIDEgaW5zZXJ0aW9uKCspLCAxIGRlbGV0aW9uKC0pCgpkaWZmIC0tZ2l0IGEvbGlzcC9vYi1s YXRleC5lbCBiL2xpc3Avb2ItbGF0ZXguZWwKaW5kZXggNDI4OTA3YTI3Li4wZDBhMzdhMDIgMTAw NjQ0Ci0tLSBhL2xpc3Avb2ItbGF0ZXguZWwKKysrIGIvbGlzcC9vYi1sYXRleC5lbApAQCAtMTgw LDcgKzE4MCw3IEBAIFRoaXMgZnVuY3Rpb24gaXMgY2FsbGVkIGJ5IGBvcmctYmFiZWwtZXhlY3V0 ZS1zcmMtYmxvY2snLiIKIAkgICAgICAgICAgICAgICAgICAgICB0bXAtcGRmCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIChsaXN0IG9yZy1iYWJlbC1sYXRleC1wZGYtc3ZnLXByb2Nlc3Mp CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV4dGVuc2lvbiBlcnItbXNnIGxvZy1idWYp KSkKLSAgICAgICAgICAgICAgKHNoZWxsLWNvbW1hbmQgKGZvcm1hdCAibXYgJXMgJXMiIGltZy1v dXQgb3V0LWZpbGUpKSkpKQorICAgICAgICAgICAgICAocmVuYW1lLWZpbGUgaW1nLW91dCBvdXQt ZmlsZSkpKSkKICAgICAgICAgICgoc3RyaW5nLXN1ZmZpeC1wICIudGlreiIgb3V0LWZpbGUpCiAJ ICAod2hlbiAoZmlsZS1leGlzdHMtcCBvdXQtZmlsZSkgKGRlbGV0ZS1maWxlIG91dC1maWxlKSkK IAkgICh3aXRoLXRlbXAtZmlsZSBvdXQtZmlsZQotLSAKMi4zMC4yCgo= --=-kli4KfitbKPn8wohpmye--