From: Ihor Radchenko <yantar92@posteo.net>
To: Max Nikulin <manikulin@gmail.com>
Cc: emacs-orgmode@gnu.org, "Martin Edström" <meedstrom91@gmail.com>
Subject: Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command
Date: Fri, 08 Mar 2024 11:16:23 +0000 [thread overview]
Message-ID: <87jzmdht2w.fsf@localhost> (raw)
In-Reply-To: <735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2051 bytes --]
Max Nikulin <manikulin@gmail.com> writes:
>>> It should be more reliable to pass fragment to command stdin. It can be
>>> done if %i is missed in `org-latex-to-html-convert-command'.
>>
>> I agree that it will be more reliable to shell-escape argument.
>> However, I am concerned that escaping may break certain uses like
>>
>> somecommand << EOF
>> %i
>> EOF
>>
>> In the above scenario, escaping will break things.
>
> It is unsafe to use such command. Variable expansion, etc. is performed
> inside here document blocks. Try
>
> cat << EOF
> \[f(i), \text{where $i \ne 10$}\]
> EOF
I did non know this. Thanks for the info.
> That is why I proposed to use stdin in the case of missed %i.
>
> `org-latex-to-html-convert-command' should be set to something like
> "latexmlc --profile=math --preload=siunitx.sty - 2>/dev/null"
> this case.
I decided not to introduce stdin. User can always use echo %i | ... instead.
>> That's why I prefer to add a new replacement, not change the meaning of
>> %i. We might even remove %i from the docstring, keeping support in the
>> code for backwards-compatibility.
>
> What you calls backward compatibility is actually a means to get strange
> results in the case of complex math. It is better to force users to
> update configuration (I hope, it actually will not be necessary) and to
> ensure safe command without pitfalls related to missed parts of equations.
Agree.
This breaking change cannot be avoided, unfortunately.
Even stripping quotes is unreliable when we use the example from
docstring: 'literal:%i'. So, we have to bite the bullet.
>> test2.html is rendered *incorrectly* as in the attached screenshot.
>
> Looks like missed <meta charset="UTF-8"> inside <head>
> ...
Exporting Org document using
(setq org-html-with-latex 'html)
(setq org-latex-to-html-convert-command "latexmlc 'literal:%i' --profile=math --preload=siunitx.sty 2>/dev/null")
renders just fine, so these caveats appear to be terminal-specific. Not
our problem.
Attaching tentative patch that fixes the problem.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-org-latex-to-mathml-html-convert-command-Prevent-she.patch --]
[-- Type: text/x-patch, Size: 4506 bytes --]
From 34e5e14260cf895b32f13ed8f4c2e50684f91baf Mon Sep 17 00:00:00 2001
Message-ID: <34e5e14260cf895b32f13ed8f4c2e50684f91baf.1709896570.git.yantar92@posteo.net>
From: Ihor Radchenko <yantar92@posteo.net>
Date: Fri, 8 Mar 2024 14:05:12 +0300
Subject: [PATCH] org-latex-to-mathml/html-convert-command: Prevent shell
expansion
* lisp/org.el (org-create-math-formula):
(org-format-latex-as-html): Shell-quote LaTeX fragment text when
replacing %i placeholder. This prevents shell expansion of
$... and similar constructs inside the code.
(org-latex-to-mathml-convert-command):
(org-latex-to-html-convert-command): Update the docstring.
* etc/ORG-NEWS (~org-latex-to-mathml-convert-command~ and
~org-latex-to-html-convert-command~ shell-escape LaTeX code): Announce
the breaking change.
Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://orgmode.org/list/735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com
---
etc/ORG-NEWS | 10 ++++++++++
lisp/org.el | 17 ++++++-----------
2 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/etc/ORG-NEWS b/etc/ORG-NEWS
index abe62daaf..9f628bc10 100644
--- a/etc/ORG-NEWS
+++ b/etc/ORG-NEWS
@@ -13,6 +13,16 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org.
* Version 9.7 (not released yet)
** Important announcements and breaking changes
+*** ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code
+
+Previously, ~org-latex-to-mathml-convert-command~ and
+~org-latex-to-html-convert-command~ replaced %i placeholders with raw
+LaTeX fragment text, potentially triggered shell-expansion.
+
+Now, the %i placeholders are shell-escaped to prevent shell expansion - this will prevent.
+
+The existing customizations that assume no shell-escaping must be updated.
+
*** When ~org-link-file-path-type~ is a function, its argument is now a filename as it is read by ~org-insert-link~; not an absolute path
Previously, when ~org-link-file-path-type~ is set to a function, the
diff --git a/lisp/org.el b/lisp/org.el
index 33d90506b..a00d50c51 100644
--- a/lisp/org.el
+++ b/lisp/org.el
@@ -3246,7 +3246,7 @@ (defcustom org-latex-to-mathml-convert-command nil
%j: Executable file in fully expanded form as specified by
`org-latex-to-mathml-jar-file'.
%I: Input LaTeX file in fully expanded form.
-%i: The latex fragment to be converted.
+%i: Shell-escaped LaTeX fragment to be converted.
%o: Output MathML file.
This command is used by `org-create-math-formula'.
@@ -3255,7 +3255,7 @@ (defcustom org-latex-to-mathml-convert-command nil
\"java -jar %j -unicode -force -df %o %I\".
When using LaTeXML set this option to
-\"latexmlmath \"%i\" --presentationmathml=%o\"."
+\"latexmlmath %i --presentationmathml=%o\"."
:group 'org-latex
:version "24.1"
:type '(choice
@@ -3268,15 +3268,10 @@ (defcustom org-latex-to-html-convert-command nil
directly replace the LaTeX fragment in the resulting HTML.
Replace format-specifiers in the command as noted below and use
`shell-command' to convert LaTeX to HTML.
-%i: The LaTeX fragment to be converted.
+%i: The LaTeX fragment to be converted (shell-escaped).
For example, this could be used with LaTeXML as
-\"latexmlc \\='literal:%i\\=' --profile=math --preload=siunitx.sty 2>/dev/null\".
-
-The LaTeX fragment is replaced as is, without escaping special shell
-syntax. It may be necessary to use single-quotes around \\='%i\\=', not
-double-quotes. Else a math fragment such as \"$y = 200$\" may be
-expanded to \" = 200\"."
+\"latexmlc literal:%i --profile=math --preload=siunitx.sty 2>/dev/null\"."
:group 'org-latex
:package-version '(Org . "9.4")
:type '(choice
@@ -16210,7 +16205,7 @@ (defun org-create-math-formula (latex-frag &optional mathml-file)
(expand-file-name
org-latex-to-mathml-jar-file))))
(?I . ,(shell-quote-argument tmp-in-file))
- (?i . ,latex-frag)
+ (?i . ,(shell-quote-argument latex-frag))
(?o . ,(shell-quote-argument tmp-out-file)))))
mathml shell-command-output)
(when (called-interactively-p 'any)
@@ -16277,7 +16272,7 @@ (defun org-format-latex-as-html (latex-fragment)
"Convert LATEX-FRAGMENT to HTML.
This uses `org-latex-to-html-convert-command', which see."
(let ((cmd (format-spec org-latex-to-html-convert-command
- `((?i . ,latex-fragment)))))
+ `((?i . ,(shell-quote-argument latex-fragment))))))
(message "Running %s" cmd)
(shell-command-to-string cmd)))
--
2.43.0
[-- Attachment #3: Type: text/plain, Size: 224 bytes --]
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
next prev parent reply other threads:[~2024-03-08 11:17 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-16 23:10 Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Martin Edström
2024-02-18 16:06 ` Ihor Radchenko
2024-02-18 18:56 ` Martin Edström
2024-02-18 19:36 ` Martin Edström
2024-02-19 8:30 ` Ihor Radchenko
2024-02-21 14:38 ` Max Nikulin
2024-02-21 14:57 ` Martin Edström
2024-02-21 15:04 ` Martin Edström
2024-02-21 15:08 ` Martin Edström
2024-02-23 12:46 ` Ihor Radchenko
2024-02-25 10:41 ` Max Nikulin
2024-02-26 10:48 ` Ihor Radchenko
2024-02-26 16:37 ` Max Nikulin
2024-03-08 11:16 ` Ihor Radchenko [this message]
2024-03-09 15:23 ` Max Nikulin
2024-03-10 5:02 ` [PATCH] Unit tests for function calling MathML converters (Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command) Max Nikulin
2024-03-31 8:27 ` Ihor Radchenko
2024-04-01 10:39 ` Max Nikulin
2024-04-01 11:23 ` Ihor Radchenko
2024-03-12 13:03 ` Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Ihor Radchenko
2024-03-13 14:27 ` Max Nikulin
2024-03-15 13:49 ` Ihor Radchenko
2024-03-18 10:50 ` Max Nikulin
2024-03-19 14:48 ` Ihor Radchenko
2024-03-19 14:49 ` Ihor Radchenko
2024-03-19 16:22 ` Max Nikulin
2024-03-19 16:27 ` Ihor Radchenko
2024-03-19 16:45 ` fixup! and git Max Nikulin
2024-03-19 16:50 ` Ihor Radchenko
2024-03-31 8:25 ` Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Ihor Radchenko
2024-04-01 10:29 ` Max Nikulin
2024-04-01 11:15 ` Ihor Radchenko
2024-03-05 12:01 ` Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87jzmdht2w.fsf@localhost \
--to=yantar92@posteo.net \
--cc=emacs-orgmode@gnu.org \
--cc=manikulin@gmail.com \
--cc=meedstrom91@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).