From: gerard.vermeulen@posteo.net
To: Ihor Radchenko <yantar92@posteo.net>
Cc: Emacs orgmode <emacs-orgmode@gnu.org>
Subject: Re: [PATCH] ox-latex: Make more variables file local safe
Date: Sat, 10 Feb 2024 13:25:49 +0000 [thread overview]
Message-ID: <27bf6aa17102c2450a78359494d7acb7@posteo.net> (raw)
In-Reply-To: <87y1bt8civ.fsf@localhost>
[-- Attachment #1: Type: text/plain, Size: 875 bytes --]
On 10.02.2024 00:04, Ihor Radchenko wrote:
> gerard.vermeulen@posteo.net writes:
>
>> I have a direct use for org-latex-toc-command being a file local
>> safe variable and I looked a bit around for other variables not
>> being file local safe for no good reason IMO (why those not,
>> while similar variables yes).
>>
>> I have attached a patch which makes six variables file local safe.
>
> Thanks! I agree about all but org-latex-toc-command.
> Although, I am not sure if org-latex-toc-command is really safe to set
> to arbitrary value.
You are right, it is not safe, BUT:
The attached org file (not really malicious) shows how to create a
malicious
org file for any file local "safe" string variable in ox-latex when
exporting
to latex and compiling with the -shell-escape option.
Therefore, I attached a patch removing the :safe #'stringp from those
variables.
[-- Attachment #2: malicious.org --]
[-- Type: application/octet-stream, Size: 923 bytes --]
#+title: Malicious?
#+subtitle: ls -l
#+options: timestamp:nil
#+latex_header: \usepackage{minted}
* Test
:PROPERTIES:
:CUSTOM_ID: sec:test
:END:
Test [[#sec:test]] reference.
#+caption: Org Unicorn image.
[[./Org-mode-unicorn.png]]
#+begin_quote
Is replacing {quote} with {\ShellEscape{ls -l}} safe?
#+end_quote
# Candidates to test one by one:
# Unsafe candidates which are not safe upstream:
# org-latex-toc-command: "\\tableofcontents\n\\ShellEscape{ls -l}\n"
# org-latex-subtitle-format: " \\ShellEscape{%s}"
# org-latex-image-default-width: "\\ShellEscape{ls -l}"
# Candidates declared safe upstream which are not safe using worse than this:
# org-latex-image-default-scale: "\\ShellEscape{ls -l}"
# org-latex-default-figure-position: "\\ShellEscape{ls -l}"
# org-latex-reference-command: "\\ShellEscape{ls -l} \\ref{%s}"
# Local Variables:
# org-latex-default-quote-environment: "\\ShellEscape{ls -l}"
# End:
[-- Attachment #3: 0001-ox-latex-string-variables-are-not-file-local-safe.patch --]
[-- Type: application/octet-stream, Size: 1973 bytes --]
From 54d8515e5bacdd3daa4505c3ec0fc80b57e80ed0 Mon Sep 17 00:00:00 2001
From: Gerard Vermeulen <gerard.vermeulen@posteo.net>
Date: Sat, 10 Feb 2024 14:04:55 +0100
Subject: [PATCH] ox-latex: string variables are not file local safe
* lisp/ox-latex.el (org-latex-default-figure-position):
(org-latex-default-quote-environment, org-latex-image-default-scale):
(org-latex-reference-command): file local safe string variables allow
to write Org files allowing to inject any command.
Link: https://list.orgmode.org/ffa77c01d47b15dfc0ae687cab95fb01@posteo.net/
---
lisp/ox-latex.el | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/lisp/ox-latex.el b/lisp/ox-latex.el
index 937cbac2c..cfa2b8178 100644
--- a/lisp/ox-latex.el
+++ b/lisp/ox-latex.el
@@ -413,8 +413,7 @@ use of a package such as hyperref or cleveref and then change the format string
to \"\\autoref{%s}\" or \"\\cref{%s}\" for example."
:group 'org-export-latex
:type 'string
- :package-version '(Org . "9.5")
- :safe #'stringp)
+ :package-version '(Org . "9.5"))
;;;; Preamble
@@ -734,8 +733,7 @@ or if the image is wrapped within a \"wrapfigure\" environment.
Scale overrides width and height."
:group 'org-export-latex
:package-version '(Org . "9.3")
- :type 'string
- :safe #'stringp)
+ :type 'string)
(defcustom org-latex-image-default-height ""
"Default height for images.
@@ -752,8 +750,7 @@ environment."
:group 'org-export-latex
:type 'string
:version "26.1"
- :package-version '(Org . "9.0")
- :safe #'stringp)
+ :package-version '(Org . "9.0"))
(defcustom org-latex-inline-image-rules
`(("file" . ,(rx "."
@@ -797,8 +794,7 @@ default we use here encompasses both."
"Default environment used to `quote' blocks."
:group 'org-export-latex
:package-version '(Org . "9.5")
- :type 'string
- :safe #'stringp)
+ :type 'string)
(defcustom org-latex-default-table-mode 'table
"Default mode for tables.
--
2.42.0
next prev parent reply other threads:[~2024-02-10 13:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-09 14:29 [PATCH] ox-latex: Make more variables file local safe gerard.vermeulen
2024-02-09 23:04 ` Ihor Radchenko
2024-02-10 13:25 ` gerard.vermeulen [this message]
2024-02-10 14:56 ` Ihor Radchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=27bf6aa17102c2450a78359494d7acb7@posteo.net \
--to=gerard.vermeulen@posteo.net \
--cc=emacs-orgmode@gnu.org \
--cc=yantar92@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).