From: Ihor Radchenko <yantar92@posteo.net>
To: Max Nikulin <manikulin@gmail.com>
Cc: emacs-orgmode@gnu.org
Subject: Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command
Date: Tue, 19 Mar 2024 14:48:19 +0000 [thread overview]
Message-ID: <87plvqwa4s.fsf@localhost> (raw)
In-Reply-To: <ut96a7$i6d$1@ciao.gmane.io>
Max Nikulin <manikulin@gmail.com> writes:
>>> On 12/03/2024 20:03, Ihor Radchenko wrote:
>>> - '%i' and "%i" in any position including e.g. --option='%i' and
>>> protocol:"%i"
>>> - 'something%i' and "something%i" surrounded by spaces or at the end of
>>> command but with no spaces in "something".
>>
>> I am not confident that it will be safe. For example, consider something
>> awkward like foo\"%ibar\". I imagine that other edge cases are possible,
>> especially in exotic shells.
>
> I think quotes should not be stripped in such peculiar cases. The
> variants I suggested do not match it. Is it realistic?
I am afraid that there are other peculiar cases. I do not know how to
determine which case is peculiar and when it is safe to strip the quotes
in the code. I feel that if we do try to strip only "safe" cases, we
will introduce subtle bugs and then introduce even more breaking changes
by fixing those bugs.
It is more robust to not strip the quotes at all and go ahead with
breaking change.
>>>>> - I expected it as bugfix.
>>
>> It does not matter that most users will not be affected. Some users
>> being affected is enough to not commit this to bugfix. Our policy is not
>> to commit unsafe changes that may break existing configurations to
>> bugfix branch. Except critical fixes.
>
> Reasons why I consider this issue a severe enough:
> - Something weird may be executed as shell commands
> - Incorrect formulas in exported documents are more than just
> disappointment. An example of complain related to another bug:
> Re: Inequalities in math blocks. Wed, 06 Oct 2021 09:39:23 +0200.
> https://list.orgmode.org/m2bl42bo0k.fsf@me.com
I do not see these reasons as _critical_. In my mind, critical reasons
would be (1) Org mode completely broken for many users (it is not); (2)
Security vulnerability.
This particular case seems to be subjective, so it is a judgment call.
If you insist that the fix should land on bugfix, we can add Bastien to
the discussion to get a third opinion.
>>> emacs -Q --batch --eval '(find-file-noselect "not-found.txt" t)'
>>> Error: (file-missing "Searching for program" "No such file or directory"
>>> "git")
>>
>> This looks like Emacs bug. Likely in `vc-refresh-state'.
>
> It as an Emacs bug that missing git executable leads to a fatal error.
>
> It is a bug in Org that some hooks are called when just file content is
> necessary.
I would not necessarily call it a bug, but I do not see downsides of
using `insert-file-contents' instead of `find-file-noselect' and not
running `find-file-hook' in this particular case (other cases in Org
tree appears to be fine from a quick glance).
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
next prev parent reply other threads:[~2024-03-19 14:49 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-16 23:10 Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Martin Edström
2024-02-18 16:06 ` Ihor Radchenko
2024-02-18 18:56 ` Martin Edström
2024-02-18 19:36 ` Martin Edström
2024-02-19 8:30 ` Ihor Radchenko
2024-02-21 14:38 ` Max Nikulin
2024-02-21 14:57 ` Martin Edström
2024-02-21 15:04 ` Martin Edström
2024-02-21 15:08 ` Martin Edström
2024-02-23 12:46 ` Ihor Radchenko
2024-02-25 10:41 ` Max Nikulin
2024-02-26 10:48 ` Ihor Radchenko
2024-02-26 16:37 ` Max Nikulin
2024-03-08 11:16 ` Ihor Radchenko
2024-03-09 15:23 ` Max Nikulin
2024-03-10 5:02 ` [PATCH] Unit tests for function calling MathML converters (Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command) Max Nikulin
2024-03-31 8:27 ` Ihor Radchenko
2024-04-01 10:39 ` Max Nikulin
2024-04-01 11:23 ` Ihor Radchenko
2024-03-12 13:03 ` Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Ihor Radchenko
2024-03-13 14:27 ` Max Nikulin
2024-03-15 13:49 ` Ihor Radchenko
2024-03-18 10:50 ` Max Nikulin
2024-03-19 14:48 ` Ihor Radchenko [this message]
2024-03-19 14:49 ` Ihor Radchenko
2024-03-19 16:22 ` Max Nikulin
2024-03-19 16:27 ` Ihor Radchenko
2024-03-19 16:45 ` fixup! and git Max Nikulin
2024-03-19 16:50 ` Ihor Radchenko
2024-03-31 8:25 ` Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Ihor Radchenko
2024-04-01 10:29 ` Max Nikulin
2024-04-01 11:15 ` Ihor Radchenko
2024-03-05 12:01 ` Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87plvqwa4s.fsf@localhost \
--to=yantar92@posteo.net \
--cc=emacs-orgmode@gnu.org \
--cc=manikulin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).