From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms1.migadu.com with LMTPS id SHsVGOd2ZGZuWwEAqHPOHw:P1 (envelope-from ) for ; Sat, 08 Jun 2024 17:21:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id SHsVGOd2ZGZuWwEAqHPOHw (envelope-from ) for ; Sat, 08 Jun 2024 17:21:11 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=f7AdnoQv; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1717860071; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=D0ug9E4FqqvbrZmzH7Z06v6D9HY28shS02tGJxfBJno=; b=psVnEihnwmPGSZDBt/T4z96Fdht6UmLuBTCidKigZSeZSa2ep9QRvT+3Mc9yBBXgFUGMAq U8QeLzClDE9o1DH8Ly6qduVxgBTaebSSD+gJRefX/WkPPKMRcCON1B1U+DncSzs8AYFIuj fjP0NEsWlxsju2bWbd1SrRtNDG5c/h+2e+Z1T8Fd8eP+ZSrbnlNjwftWZSelvSuhFhD+3C DcH4BHGE3UXp5QC9suCRcWhfmHOOMQmjR4m5fwcw+S64TJzjq8NMe8Tn/oG+bDBu5DHLwc yubndFOyD2vImfGUqATuEI6Fzl4juHI6gjwOlSLugK9vQesHAediFnRTRF2XKw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=f7AdnoQv; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Seal: i=1; s=key1; d=yhetil.org; t=1717860071; a=rsa-sha256; cv=none; b=lLBqCLbZZxcmxtBuGij4wFBlNAq50Q6+wnv3qGQAjIh0AyoLYpFPPz5xGiJ5BZGkgfLWE5 Typ2XAWjv+5spMNT4iblLZ4q4MhwUUEqVBYgNKUlFlqxwWhhw1CGO7UobRdnqP+YpLC7Qw cFciXjAogpoqJVEVARSk6LBDDK05cWqjKKuM13SiHBsRWhZx6kxtt6BOtHdjtdLdlqheIk OOOFnjlA4l41rlZHYxRhekhejTYfCJq3HwqiAmbBUcwaM+fc9fg64m9GgxaQ5CAfrH/tS2 HcBjo/scAzeKxe2lTEf4scPL7+spc65XQ+Cl4aJAddlwelbjilzQ5dracwo/5Q== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3E60475029 for ; Sat, 8 Jun 2024 17:21:11 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sFxrR-0002xg-LC; Sat, 08 Jun 2024 11:20:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sFxrP-0002wb-QP for emacs-orgmode@gnu.org; Sat, 08 Jun 2024 11:20:03 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sFxrN-0006l9-6v for emacs-orgmode@gnu.org; Sat, 08 Jun 2024 11:20:03 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id CA6C0240101 for ; Sat, 8 Jun 2024 17:19:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1717859997; bh=no9tgGYnkwnsy+SODo4oCiJyhb54sY5Evj4IB0LN7kk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: From; b=f7AdnoQv4UEEs0eyn3zB0DmSUsdyb0c2DiNm4UgghHftXw6LJd8EgF/RDsewbOeke M+T3qRv/227YYLsAfFRqd6JRXKIfU8QUc/fJWx+SQsJsKct3Scawr1slxT/hkivCA3 UREHPoz9HJzO3myyIBIJDNp0gERV27Qeje8uciKcQhJcG6LN9xcW6TWdEhz6JNsQpk EpcOnmuaYkzVzEs0QKpLY48pcXbzNGdkqC/kv5rtTrrZgORA+Jb69ElKP1/N6BAoDe k7uRWbnqTBM+Gdwz+6KYsnYAaRVi7MpjbDYBPyC5cTYglLGNrgSlSu/BcxKz+k1q1l 6SgLymsXIfqTA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4VxMF91Fsgz6tlh; Sat, 8 Jun 2024 17:19:57 +0200 (CEST) From: Ihor Radchenko To: Andrea Cc: emacs-orgmode@gnu.org Subject: Re: [BUG] ob-sql should escape the password [9.7.3 (9.7.3-2f1844 @ /home/andrea/.emacs.d/elpa/org-9.7.3/)] In-Reply-To: References: Date: Sat, 08 Jun 2024 15:21:37 +0000 Message-ID: <8734pnxxxa.fsf@localhost> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Spam-Score: -9.55 X-Migadu-Queue-Id: 3E60475029 X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -9.55 X-TUID: ZRWHqqblYvqZ --=-=-= Content-Type: text/plain Andrea writes: > ob-sql.el has a function org-babel-execute:sql. This function extracts > the password to connect to your database of choice as dbpassword. > It then uses it like this: > > (if dbpassword > (format "PGPASSWORD=%s " dbpassword) > "") > > If the password contains an & character, the execution of a block fails. Thanks for reporting! May you please try the attached patch? --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-ob-sql-Quote-all-the-shell-arguments-originating-fro.patch >From 0b59737d9e343b495f5567d45ff68e002e0cc8d6 Mon Sep 17 00:00:00 2001 Message-ID: <0b59737d9e343b495f5567d45ff68e002e0cc8d6.1717860058.git.yantar92@posteo.net> From: Ihor Radchenko Date: Sat, 8 Jun 2024 17:18:46 +0200 Subject: [PATCH] ob-sql: Quote all the shell arguments originating from Org buffer * lisp/ob-sql.el (org-babel-sql-dbstring-mysql): (org-babel-sql-dbstring-postgresql): (org-babel-sql-dbstring-oracle): (org-babel-sql-dbstring-mssql): (org-babel-sql-dbstring-sqsh): (org-babel-sql-dbstring-vertica): (org-babel-sql-dbstring-saphana): (org-babel-execute:sql): Quote all the shell arguments to avoid unexpect shell expansion. Do not quote port as it is a number; make sure that port is really demanded a number in the format strings. Reported-by: Andrea Link: https://orgmode.org/list/DU2P193MB24225F623DBF8B3D254D3C0E88FA2@DU2P193MB2422.EURP193.PROD.OUTLOOK.COM --- lisp/ob-sql.el | 90 ++++++++++++++++++++++++++++---------------------- 1 file changed, 51 insertions(+), 39 deletions(-) diff --git a/lisp/ob-sql.el b/lisp/ob-sql.el index dc067a417..e51eed1bc 100644 --- a/lisp/ob-sql.el +++ b/lisp/ob-sql.el @@ -117,23 +117,27 @@ (defun org-babel-edit-prep:sql (info) (defun org-babel-sql-dbstring-mysql (host port user password database) "Make MySQL cmd line args for database connection. Pass nil to omit that arg." - (combine-and-quote-strings + (mapconcat + #'identity (delq nil - (list (when host (concat "-h" host)) + (list (when host (concat "-h" (shell-quote-argument host))) (when port (format "-P%d" port)) - (when user (concat "-u" user)) - (when password (concat "-p" password)) - (when database (concat "-D" database)))))) + (when user (concat "-u" (shell-quote-argument user))) + (when password (concat "-p" (shell-quote-argument password))) + (when database (concat "-D" (shell-quote-argument database))))) + " ")) (defun org-babel-sql-dbstring-postgresql (host port user database) "Make PostgreSQL command line args for database connection. Pass nil to omit that arg." - (combine-and-quote-strings + (mapconcat + #'identity (delq nil - (list (when host (concat "-h" host)) + (list (when host (concat "-h" (shell-quote-argument host))) (when port (format "-p%d" port)) - (when user (concat "-U" user)) - (when database (concat "-d" database)))))) + (when user (concat "-U" (shell-quote-argument user))) + (when database (concat "-d" (shell-quote-argument database))))) + " ")) (defun org-babel-sql-dbstring-oracle (host port user password database) "Make Oracle command line arguments for database connection. @@ -149,8 +153,12 @@ (defun org-babel-sql-dbstring-oracle (host port user password database) /@ using its alias." + (when user (setq user (shell-quote-argument user))) + (when password (setq password (shell-quote-argument password))) + (when database (setq database (shell-quote-argument database))) + (when host (setq host (shell-quote-argument host))) (cond ((and user password database host port) - (format "%s/%s@%s:%s/%s" user password host port database)) + (format "%s/%s@%s:%d/%s" user password host port database)) ((and user password database) (format "%s/%s@%s" user password database)) (t (user-error "Missing information to connect to database")))) @@ -161,10 +169,10 @@ (defun org-babel-sql-dbstring-mssql (host user password database) SQL Server on Windows and Linux platform." (mapconcat #'identity (delq nil - (list (when host (format "-S \"%s\"" host)) - (when user (format "-U \"%s\"" user)) - (when password (format "-P \"%s\"" password)) - (when database (format "-d \"%s\"" database)))) + (list (when host (format "-S \"%s\"" (shell-quote-argument host))) + (when user (format "-U \"%s\"" (shell-quote-argument user))) + (when password (format "-P \"%s\"" (shell-quote-argument password))) + (when database (format "-d \"%s\"" (shell-quote-argument database))))) " ")) (defun org-babel-sql-dbstring-sqsh (host user password database) @@ -172,10 +180,10 @@ (defun org-babel-sql-dbstring-sqsh (host user password database) \"sqsh\" is one method to access Sybase or MS SQL via Linux platform" (mapconcat #'identity (delq nil - (list (when host (format "-S \"%s\"" host)) - (when user (format "-U \"%s\"" user)) - (when password (format "-P \"%s\"" password)) - (when database (format "-D \"%s\"" database)))) + (list (when host (format "-S \"%s\"" (shell-quote-argument host))) + (when user (format "-U \"%s\"" (shell-quote-argument user))) + (when password (format "-P \"%s\"" (shell-quote-argument password))) + (when database (format "-D \"%s\"" (shell-quote-argument database))))) " ")) (defun org-babel-sql-dbstring-vertica (host port user password database) @@ -183,11 +191,11 @@ (defun org-babel-sql-dbstring-vertica (host port user password database) Pass nil to omit that arg." (mapconcat #'identity (delq nil - (list (when host (format "-h %s" host)) + (list (when host (format "-h %s" (shell-quote-argument host))) (when port (format "-p %d" port)) - (when user (format "-U %s" user)) + (when user (format "-U %s" (shell-quote-argument user))) (when password (format "-w %s" (shell-quote-argument password) )) - (when database (format "-d %s" database)))) + (when database (format "-d %s" (shell-quote-argument database))))) " ")) (defun org-babel-sql-dbstring-saphana (host port instance user password database) @@ -195,13 +203,15 @@ (defun org-babel-sql-dbstring-saphana (host port instance user password database Pass nil to omit that arg." (mapconcat #'identity (delq nil - (list (and host port (format "-n %s:%s" host port)) - (and host (not port) (format "-n %s" host)) + (list (and host port (format "-n %s:%s" + (shell-quote-argument host) + port)) + (and host (not port) (format "-n %s" (shell-quote-argument host))) (and instance (format "-i %d" instance)) - (and user (format "-u %s" user)) + (and user (format "-u %s" (shell-quote-argument user))) (and password (format "-p %s" (shell-quote-argument password))) - (and database (format "-d %s" database)))) + (and database (format "-d %s" (shell-quote-argument database))))) " ")) (defun org-babel-sql-convert-standard-filename (file) @@ -276,21 +286,23 @@ (defun org-babel-execute:sql (body params) (or cmdline "") (org-babel-process-file-name in-file) (org-babel-process-file-name out-file))) - ((postgresql postgres) (format - "%s%s --set=\"ON_ERROR_STOP=1\" %s -A -P \ + ((postgresql postgres) + (format + "%s%s --set=\"ON_ERROR_STOP=1\" %s -A -P \ footer=off -F \"\t\" %s -f %s -o %s %s" - (if dbpassword - (format "PGPASSWORD=%s " dbpassword) - "") - (or (bound-and-true-p - sql-postgres-program) - "psql") - (if colnames-p "" "-t") - (org-babel-sql-dbstring-postgresql - dbhost dbport dbuser database) - (org-babel-process-file-name in-file) - (org-babel-process-file-name out-file) - (or cmdline ""))) + (if dbpassword + (format "PGPASSWORD=%s " + (shell-quote-argument dbpassword)) + "") + (or (bound-and-true-p + sql-postgres-program) + "psql") + (if colnames-p "" "-t") + (org-babel-sql-dbstring-postgresql + dbhost dbport dbuser database) + (org-babel-process-file-name in-file) + (org-babel-process-file-name out-file) + (or cmdline ""))) (sqsh (format "sqsh %s %s -i %s -o %s -m csv" (or cmdline "") (org-babel-sql-dbstring-sqsh -- 2.45.1 --=-=-= Content-Type: text/plain -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at --=-=-=--