From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Eric Schulte" Subject: Re: [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output Date: Mon, 22 Nov 2010 18:57:10 -0700 Message-ID: <87d3pwpzt5.fsf@gmail.com> References: <87tyjqjuwy.fsf@dustycloud.org> <87k4kmjuhm.fsf@dustycloud.org> <87aalijfdg.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from [140.186.70.92] (port=43958 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PKi8H-0007rz-FQ for emacs-orgmode@gnu.org; Mon, 22 Nov 2010 20:57:22 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PKi8G-0004w6-07 for emacs-orgmode@gnu.org; Mon, 22 Nov 2010 20:57:21 -0500 Received: from mail-vw0-f41.google.com ([209.85.212.41]:35227) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PKi8F-0004vw-Qh for emacs-orgmode@gnu.org; Mon, 22 Nov 2010 20:57:19 -0500 Received: by vws10 with SMTP id 10so3951249vws.0 for ; Mon, 22 Nov 2010 17:57:19 -0800 (PST) In-Reply-To: <87aalijfdg.fsf@dustycloud.org> (Christopher Allan Webber's message of "Tue, 09 Nov 2010 16:34:19 -0600") List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org To: Christopher Allan Webber Cc: emacs-orgmode@gnu.org Hi, Thanks for raising this issue up. While I don't consider it a security issue (code blocks are already executing arbitrary code on your system), it is certainly a failure in the parsing of input from scripting languages (actually any language which has single-quote delimited strings). I just pushed up a fix which should resolve these issues (and some related issues) in ruby python and Haskell. The following example now executes as expected for me. Thanks for the report -- Eric ** reading from single-quote-delim languages #+BEGIN_SRC python return [['607', 'Show license short, name on the deed'], ['255', "'(message (concat 'hello ' 'world))"]] #+END_SRC #+results: | 607 | Show license short, name on the deed | | 255 | '(message (concat 'hello ' 'world)) | #+begin_src ruby [['607', 'Show license, short name on the deed'], ['255', "))'(message (concat 'hello ' 'world"]] #+end_src #+results: | 607 | Show license, short name on the deed | | 255 | ))'(message (concat 'hello ' 'world | #+begin_src haskell [["'single quotes'", "b"], ["\"double quotes\"", "d"]] #+end_src #+results: | 'single quotes' | b | | "double quotes" | d | Christopher Allan Webber writes: > I worry about this a bit because of the possible security issue: the > ability to execute arbitrary code, since the structure that gets > constructed is eval'ed. > > eg: > > #+BEGIN_SRC python > return [['607', 'Show license short name on the deed'], > ['255', "'))(message (concat 'hello ' 'world"]] > #+END_SRC > > That constructs a set of listp objects which are evaluated and look > like: > > '(("607" "Show license short name on the deed") ("255" "")) > (message (concat "hello " "world")) > > It doesn't seem like the second one is being evaluated but it makes me > nervous that it's being passed through eval like this at all. > > Christopher Allan Webber writes: > >> It looks like \' and " are not being escaped in >> org-babel-python-table-or-string, which is the problem. >> >> Christopher Allan Webber writes: >> >>> Strings with quotes in them aren't having the inner quotes escaped right >>> while read by ob-python in python. Example: >>> >>> #+BEGIN_SRC python >>> return [['607', 'Show license short name on the deed'], >>> ['255', '"Smart" 404 pages']] >>> #+END_SRC >>> >>> #+results: >>> | 607 | Show license short name on the deed | | | >>> | 255 | | Smart | 404 pages | >>> >>> >>> >>> _______________________________________________ >>> Emacs-orgmode mailing list >>> Please use `Reply All' to send replies to the list. >>> Emacs-orgmode@gnu.org >>> http://lists.gnu.org/mailman/listinfo/emacs-orgmode >> >> _______________________________________________ >> Emacs-orgmode mailing list >> Please use `Reply All' to send replies to the list. >> Emacs-orgmode@gnu.org >> http://lists.gnu.org/mailman/listinfo/emacs-orgmode > > _______________________________________________ > Emacs-orgmode mailing list > Please use `Reply All' to send replies to the list. > Emacs-orgmode@gnu.org > http://lists.gnu.org/mailman/listinfo/emacs-orgmode