On 10.02.2024 00:04, Ihor Radchenko wrote:
> gerard.vermeulen@posteo.net writes:
> 
>> I have a direct use for org-latex-toc-command being a file local
>> safe variable and I looked a bit around for other variables not
>> being file local safe for no good reason IMO (why those not,
>> while similar variables yes).
>> 
>> I have attached a patch which makes six variables file local safe.
> 
> Thanks! I agree about all but org-latex-toc-command.
> Although, I am not sure if org-latex-toc-command is really safe to set
> to arbitrary value.

You are right, it is not safe, BUT:

The attached org file (not really malicious) shows how to create a 
malicious
org file for any file local "safe" string variable in ox-latex when 
exporting
to latex and compiling with the -shell-escape option.

Therefore, I attached a patch removing the :safe #'stringp from those
variables.