From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id MMFqCCYeCWbOSgEA62LTzQ:P1 (envelope-from ) for ; Sun, 31 Mar 2024 10:26:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id MMFqCCYeCWbOSgEA62LTzQ (envelope-from ) for ; Sun, 31 Mar 2024 10:26:14 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=XHPJn4DH; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1711873574; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=47MS/WAkKrmrB9PI7n60lVX7hbmXcOZB7gYH0XnbUZ8=; b=QckoSO31wRx6TUPwMnomOyBX5LKSGkiC61eZ4SO0Ol/XDV22L4BkAj8qO0kQSr8XoBSfGG vaJCjqBu/CRSgLi9YWj6tb8Td+IeXIAiRAZak97GzPskub5cZPiOteiO4q1aop5IMUDN2Q vAtJhYvXW4t8ufcs3vaa7jeVPEph0Hu50mEBcKpgDooUqmyYfDTGLRiR7ePtmuCNdwneRy Axcc5iTDREQ37HJGv9jQUtFWZ910O2yLqzKHcujxEq3vIjr8g9HRdC3FNDAXr4B3+OQTtw 91qX92G5m+YYBbqB2QdayzMxkG5/5G70Mz2fsEgSJ/EvpVXP82l2IDjU+gZsnA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=XHPJn4DH; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=posteo.net ARC-Seal: i=1; s=key1; d=yhetil.org; t=1711873574; a=rsa-sha256; cv=none; b=LSnx8psMv4Zg9U8+XgTSucgkGUcbkJt6nDwGCBUppQwZtrnhXQNh/hxMKqQnPPvLzJWj0X kamGwFchHtL+ucyjRVUJfnT79LGSlxoOrrpZRDQsd90vDJGWyWbdsfJqUdT5gaBN/cGtQv 7cbC8YKkiPslE3JQskEODMSkjKUPofscOcvx2YwcgUdWQcGyoIuM0frdk21uMra0kaFk9w xLhk4EaIvl38sRpkeXqk3sJuEoVMgBthy3wNXu/c8GpsBYzyD5ERBrNJo/PwAIioEPkF8x 8NAcwtLRvlWAHeKLBi2YCYVmR2mAbPYS68+U5TJ+OAjzfpcJMADgfv0y66idSw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B004E692DA for ; Sun, 31 Mar 2024 10:26:13 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rqqVY-0005cq-SW; Sun, 31 Mar 2024 04:25:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rqqVQ-0005bA-EO for emacs-orgmode@gnu.org; Sun, 31 Mar 2024 04:25:32 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rqqVN-0003cG-Qx for emacs-orgmode@gnu.org; Sun, 31 Mar 2024 04:25:32 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id DBB26240101 for ; Sun, 31 Mar 2024 10:25:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1711873525; bh=mTNZqxnmFjTaajz+3adDPkAGYKDYWdAG84MGwWq/d1k=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: From; b=XHPJn4DHEhIby3AjlqaYLrosAyJyUEaPy2IwF9l5xwXBvuu13p7fUaFgdO7VCroE8 Hw167N9fXCpDeOWVBGSnpq+jgbGR+Y8USgnl8PDwEvnFqHMWOQxQb4E9IxA5VV8SMS 8gaUF5Uax9rZnX5acZtQ2wEqdWNY8sDxC04ReWeT7QYGzpEmXr+4eKhshue4rJHer0 G5aukSXVik4DqrV6Vy4h/kAw6w5QAxbFfzdo4OpI7heJAXCwzCMoGNgjEMDO+NxKlv /1JEix4w/aI/v7ElE3t7DSWApbIKw0laXyKE83SAX0oiST66i1aT4G+lzimP+xshdo hWLEx6N9la/GA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4V6nJh5hhKz9rxB; Sun, 31 Mar 2024 10:25:24 +0200 (CEST) From: Ihor Radchenko To: Max Nikulin Cc: emacs-orgmode@gnu.org Subject: Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command In-Reply-To: References: <87wmr1rc2w.fsf@localhost> <874jdzjqkk.fsf@localhost> <6e49c590-ad27-4fb0-b1f2-6a89c60a0b58@gmail.com> <87msrncxhq.fsf@localhost> <735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com> <87jzmdht2w.fsf@localhost> Date: Sun, 31 Mar 2024 08:25:31 +0000 Message-ID: <87v852g64k.fsf@localhost> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: B004E692DA X-Spam-Score: -9.55 X-Migadu-Spam-Score: -9.55 X-Migadu-Scanner: mx10.migadu.com X-TUID: AgMOjlVQaZ5J --=-=-= Content-Type: text/plain Max Nikulin writes: >> Attaching tentative patch that fixes the problem. > > I think it is in the right direction. > - Manual needs update as well. > - I would explicitly stress that quotes causes undefined or even > dangerous behavior. See e.g. the last paragraph > https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html I have incorporated the above suggestions into the attached version of the patch. --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-org-latex-to-mathml-html-convert-command-Prevent-she.patch >From 5dbe4457d0d938e8830888bc3ac58d6a43136558 Mon Sep 17 00:00:00 2001 Message-ID: <5dbe4457d0d938e8830888bc3ac58d6a43136558.1711873441.git.yantar92@posteo.net> From: Ihor Radchenko Date: Fri, 8 Mar 2024 14:05:12 +0300 Subject: [PATCH] org-latex-to-mathml/html-convert-command: Prevent shell expansion * lisp/org.el (org-create-math-formula): (org-format-latex-as-html): Shell-quote LaTeX fragment text when replacing %i placeholder. This prevents shell expansion of $... and similar constructs inside the code. (org-latex-to-mathml-convert-command): (org-latex-to-html-convert-command): Update the docstring. * etc/ORG-NEWS (~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code): Announce the breaking change. * doc/org-manual.org (LaTeX math snippets): Update example. Reported-by: Max Nikulin Link: https://orgmode.org/list/735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com --- doc/org-manual.org | 2 +- etc/ORG-NEWS | 10 ++++++++++ lisp/org.el | 21 ++++++++++----------- 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/doc/org-manual.org b/doc/org-manual.org index c4f62644f..acc4512a5 100644 --- a/doc/org-manual.org +++ b/doc/org-manual.org @@ -15176,7 +15176,7 @@ **** LaTeX math snippets #+begin_src emacs-lisp (setq org-latex-to-mathml-convert-command - "latexmlmath \"%i\" --presentationmathml=%o") + "latexmlmath %i --presentationmathml=%o") #+end_src To quickly verify the reliability of the LaTeX-to-MathML diff --git a/etc/ORG-NEWS b/etc/ORG-NEWS index ee2cdfd16..739c3a43b 100644 --- a/etc/ORG-NEWS +++ b/etc/ORG-NEWS @@ -13,6 +13,16 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org. * Version 9.7 (not released yet) ** Important announcements and breaking changes +*** ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code + +Previously, ~org-latex-to-mathml-convert-command~ and +~org-latex-to-html-convert-command~ replaced %i placeholders with raw +LaTeX fragment text, potentially triggering shell-expansion. + +Now, the %i placeholders are shell-escaped to prevent shell expansion. + +The existing customizations that assume no shell-escaping must be updated. + *** Built-in HTML, LaTeX, Man, Markdown, ODT, and Texinfo exporters preserve the link protocol during export Previously, some link types where not exported as =protocol:uri= but diff --git a/lisp/org.el b/lisp/org.el index f3fae134d..f56767a1a 100644 --- a/lisp/org.el +++ b/lisp/org.el @@ -3266,7 +3266,9 @@ (defcustom org-latex-to-mathml-convert-command nil %j: Executable file in fully expanded form as specified by `org-latex-to-mathml-jar-file'. %I: Input LaTeX file in fully expanded form. -%i: The latex fragment to be converted. +%i: Shell-escaped LaTeX fragment to be converted. + It must not be used inside a quoted argument, the result of %i + expansion inside a quoted argument is undefined. %o: Output MathML file. This command is used by `org-create-math-formula'. @@ -3275,7 +3277,7 @@ (defcustom org-latex-to-mathml-convert-command nil \"java -jar %j -unicode -force -df %o %I\". When using LaTeXML set this option to -\"latexmlmath \"%i\" --presentationmathml=%o\"." +\"latexmlmath %i --presentationmathml=%o\"." :group 'org-latex :version "24.1" :type '(choice @@ -3288,15 +3290,12 @@ (defcustom org-latex-to-html-convert-command nil directly replace the LaTeX fragment in the resulting HTML. Replace format-specifiers in the command as noted below and use `shell-command' to convert LaTeX to HTML. -%i: The LaTeX fragment to be converted. +%i: The LaTeX fragment to be converted (shell-escaped). + It must not be used inside a quoted argument, the result of %i + expansion inside a quoted argument is undefined. For example, this could be used with LaTeXML as -\"latexmlc \\='literal:%i\\=' --profile=math --preload=siunitx.sty 2>/dev/null\". - -The LaTeX fragment is replaced as is, without escaping special shell -syntax. It may be necessary to use single-quotes around \\='%i\\=', not -double-quotes. Else a math fragment such as \"$y = 200$\" may be -expanded to \" = 200\"." +\"latexmlc literal:%i --profile=math --preload=siunitx.sty 2>/dev/null\"." :group 'org-latex :package-version '(Org . "9.4") :type '(choice @@ -16332,7 +16331,7 @@ (defun org-create-math-formula (latex-frag &optional mathml-file) (expand-file-name org-latex-to-mathml-jar-file)))) (?I . ,(shell-quote-argument tmp-in-file)) - (?i . ,latex-frag) + (?i . ,(shell-quote-argument latex-frag)) (?o . ,(shell-quote-argument tmp-out-file))))) mathml shell-command-output) (when (called-interactively-p 'any) @@ -16400,7 +16399,7 @@ (defun org-format-latex-as-html (latex-fragment) "Convert LATEX-FRAGMENT to HTML. This uses `org-latex-to-html-convert-command', which see." (let ((cmd (format-spec org-latex-to-html-convert-command - `((?i . ,latex-fragment))))) + `((?i . ,(shell-quote-argument latex-fragment)))))) (message "Running %s" cmd) (shell-command-to-string cmd))) -- 2.44.0 --=-=-= Content-Type: text/plain -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at --=-=-=--