From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id eD7TIP28QmMXQgAAbAwnHQ (envelope-from ) for ; Sun, 09 Oct 2022 14:22:21 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id eb4KIP28QmPUcAEAG6o9tA (envelope-from ) for ; Sun, 09 Oct 2022 14:22:21 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 313DA17BBF for ; Sun, 9 Oct 2022 14:22:21 +0200 (CEST) Received: from localhost ([::1]:34668 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ohVK0-0006Dp-CP for larch@yhetil.org; Sun, 09 Oct 2022 08:22:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:43494) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohVJI-0006Bm-QY for emacs-orgmode@gnu.org; Sun, 09 Oct 2022 08:21:36 -0400 Received: from mout01.posteo.de ([185.67.36.65]:51051) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ohVJE-0004ZW-GT for emacs-orgmode@gnu.org; Sun, 09 Oct 2022 08:21:36 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id B67A8240029 for ; Sun, 9 Oct 2022 14:21:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1665318090; bh=u0670+/hfC7uq/XSw0Xv2AbbcEfZHsFnVx0rplmuwlM=; h=From:To:Cc:Subject:Date:From; b=mkce4EqxAkAku4W4f26SD/ANw28NduwjHbSX3uFhLHZwtDS6GJhU9lca5IDSa5exM LFHhB5OSFRLSSAXcHflrpa172aLW50w0WwBoDfdzYi8EcwpHQvdXrdEQH3JtYVZFSs ZRiLtsXMza3j9K4UgOG+jS2DLXxoq+K0xMUHtXEAj/+dkBhW1pV/JpVmsCluyTFuTT 9VsQj/Tf4LXrUqt/zFZHQIT8hxuhd4Y3INCbe+V6ogXKqiXQenQbALTzKlt/0W1FMl N9dexmkPBOHcME6nWDptQMF0iUEBuMTFM8zqNku4XmMQPS0VREQH4YeCNJa4AEZikM b86PYhsrf/RgA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Mlh3s3F61z9rxM; Sun, 9 Oct 2022 14:21:29 +0200 (CEST) From: =?utf-8?Q?Juan_Manuel_Mac=C3=ADas?= To: Max Nikulin Cc: emacs-orgmode@gnu.org Subject: Re: [tip] Create and Insert a public Nextcloud/Owncloud link References: <87bkqme6cw.fsf@posteo.net> Date: Sun, 09 Oct 2022 12:21:26 +0000 In-Reply-To: (Max Nikulin's message of "Sun, 9 Oct 2022 10:32:58 +0700") Message-ID: <87ilktyypl.fsf@posteo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.67.36.65; envelope-from=maciaschain@posteo.net; helo=mout01.posteo.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: "Emacs-orgmode" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1665318141; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=f0hE4+WSjkfvdyZ4pIPuCQNUnRaBguXQzYINE7IpliY=; b=GTQxn13jEeccxzyJTOHmQf8XFzEPmbKiEvfx090taToRptmMWBYWXo3Du5+tD01h7jKPlk 1lNLLq8g+cnJUcU5HbRkkHTRMbsuMPAtzjBHTMqwHTFAcODYV02eDtJxdXscE6i9WiNRjA YtUHB8glC/3zG08z0couyunZwUQTuNdLvtU+uZb/6lgUUUwQCQvP7oSjXlID9NcjVkdUtT 0sypXhiQk3mxDvm/FJIFwb0p7+l2LVhMgA/XGxLI1bGnSTaz5zI9Ygj+PFEmZxXKp/aE+k 85LVLZpsJifIzb3PesRbU7vMk9dORyKOK2vXj1+rXPbyG1X/EZ6pvX23OVRHFg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1665318141; a=rsa-sha256; cv=none; b=pN7eXiBLY3qdo0lDUUVhyqbuDI89An2l+M9Xq7R2ugy7hB0BeZWit+KE1N173aX0hgZlL0 4rPA/JQIlPUGVX1N4mZRWsn9Lov9KyQZg54SSlsccipAgebkeRmHqzomwZx8foCGcPOMu1 xDZj/iWN6Agrl+Lm8vwAEovfHjdcvmrfyfWtJBZ/jeF3Q+w8448nTjQ0MjoUGGFGp+hgAU bM6NfSeF2FnCWt77xD3IU9lEw3byCBg3Z21nFK0kF6bywwbismkzEfrKTDOBJTltN4ywwM 9Gj9hDUkr5b9nPgO8GmGWO+nvOh9Hkuqnp3OAjwxi1UzxPlHIRCyXvtUDAltjQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=mkce4Eqx; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.48 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=mkce4Eqx; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 313DA17BBF X-Spam-Score: -2.48 X-Migadu-Scanner: scn1.migadu.com X-TUID: SCV8pALEW1Yn Max Nikulin writes: >> Many times I need to create and share a public link to a file >> in my local folder. In the Nextcloud forum I learned how it can be done >> from the command line using curl, > .. >> =E2=94=82 (result-raw (shell-command-to-string >> =E2=94=82 (concat "curl -u " >> =E2=94=82 "\"" >> =E2=94=82 my-username >> =E2=94=82 ":" >> =E2=94=82 my-passwd >> =E2=94=82 "\"" > > Juan Manuel, your function is a nice proof of concept, but posting > such code you are responsible for users who may try to use it verbatim > having less experience with elisp. > > Use at least `shell-quote-argument' (though it docstring has a link to > info "(elisp)Security Considerations"). Just adding quote characters > is unsafe. You may avoid non-alphanumeric characters in passwords and > file names for good reasons, but for other users a quote character may > dramatically change the executed command. > > When TRAMP support is not necessary, arguments should be passed to > external binary as a list without intermediate shell command. I know, > Emacs does not have a convenience function with such calling > convention similar to `shell-command-to-string'. > > I am almost sure that Emacs has a package to send HTTP POST requests > directly from elisp. Unsure it has convenient enough API (reasonable > default timeouts, etc.), but it should be safer for working with > peculiar file names and passwords stuffed with characters having > special meaning in shell. I admit that the code would be more verbose. > It may save you time for recovering you system from damage caused by > unexpected interpretation of a shell command. Maxim, you are right that the use of shell-quote-argument is preferable in cases like these to avoid unexpected problems with filenames, passwords, and so on. I try to use it almost always. If I don't use it more often, it's either because I'm lazy (because of my way of naming the files, I don't expect this type of problems) or because I think it's unnecessary, although not 100% free of danger[1], as in this case. I'm not saying my behavior is exemplary, I'm just saying what I tend to do. I should probably always use shell-quote-argument. In this case, the affected part of my function would perhaps look better like this: (shell-command-to-string (mapconcat #'shell-quote-argument `("curl" "-u" ,(format "%s:%s" my-user my-password) "-H" "OCS-APIRequest:true" "-X" "POST" ,(format=20 "%s/ocs/v1.php/apps/files_sharing/api/v1/shares" nextcloud-url) "-d" ,(format "path=3D%s/%s" nextcloud-public-folder-name file) "-d" "shareType=3D3" "-d" "permissions=3D1") " ")) [1] I think that a problem in this context would not go beyond the fact that the function simply did not work as expected. Perhaps it would have been better to use call-process-shell-command, instead of shell-command-to-string, and extract the resulting string from the output buffer. On the other hand, I agree with you that whenever possible it is better to use an Elisp solution than a shell command. Best regards, Juan Manuel=20 --=20 -- ------------------------------------------------------ Juan Manuel Mac=C3=ADas=20 https://juanmanuelmacias.com https://lunotipia.juanmanuelmacias.com https://gnutas.juanmanuelmacias.com