From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christopher Allan Webber <cwebber@dustycloud.org>
Subject: Re: [BUG] [Babel] Quotes-in-strings not being escaped in python,
 breaking output
Date: Tue, 09 Nov 2010 16:34:19 -0600
Message-ID: <87aalijfdg.fsf@dustycloud.org>
References: <87tyjqjuwy.fsf@dustycloud.org> <87k4kmjuhm.fsf@dustycloud.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org>
Received: from [140.186.70.92] (port=36531 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PFwlc-0002qp-Fe
	for emacs-orgmode@gnu.org; Tue, 09 Nov 2010 17:34:20 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1PFwlH-00014B-V0
	for emacs-orgmode@gnu.org; Tue, 09 Nov 2010 17:33:56 -0500
Received: from li28-75.members.linode.com ([75.127.72.75]:46846)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1PFwlH-000143-RH
	for emacs-orgmode@gnu.org; Tue, 09 Nov 2010 17:33:55 -0500
Received: from grumps (localhost [127.0.0.1])
	by li28-75.members.linode.com (Postfix) with ESMTP id 227BBC90E
	for <emacs-orgmode@gnu.org>; Tue,  9 Nov 2010 22:33:54 +0000 (UTC)
In-Reply-To: <87k4kmjuhm.fsf@dustycloud.org> (Christopher Allan Webber's
	message of "Tue, 09 Nov 2010 11:07:49 -0600")
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
To: emacs-orgmode@gnu.org

I worry about this a bit because of the possible security issue: the
ability to execute arbitrary code, since the structure that gets
constructed is eval'ed.

eg:

#+BEGIN_SRC python
return [['607', 'Show license short name on the deed'],
        ['255', "'))(message (concat 'hello ' 'world"]]
#+END_SRC

That constructs a set of listp objects which are evaluated and look
like:

'(("607" "Show license short name on the deed") ("255" ""))
(message (concat "hello " "world"))

It doesn't seem like the second one is being evaluated but it makes me
nervous that it's being passed through eval like this at all.

Christopher Allan Webber <cwebber@dustycloud.org> writes:

> It looks like \' and " are not being escaped in
> org-babel-python-table-or-string, which is the problem.
>
> Christopher Allan Webber <cwebber@dustycloud.org> writes:
>
>> Strings with quotes in them aren't having the inner quotes escaped right
>> while read by ob-python in python.  Example:
>>
>> #+BEGIN_SRC python
>> return [['607', 'Show license short name on the deed'],
>>         ['255', '"Smart" 404 pages']]
>> #+END_SRC
>>
>> #+results:
>> | 607 | Show license short name on the deed |       |           |
>> | 255 |                                     | Smart | 404 pages |
>>
>>
>>
>> _______________________________________________
>> Emacs-orgmode mailing list
>> Please use `Reply All' to send replies to the list.
>> Emacs-orgmode@gnu.org
>> http://lists.gnu.org/mailman/listinfo/emacs-orgmode
>
> _______________________________________________
> Emacs-orgmode mailing list
> Please use `Reply All' to send replies to the list.
> Emacs-orgmode@gnu.org
> http://lists.gnu.org/mailman/listinfo/emacs-orgmode