From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id KLLTBnRfDGR36AAASxT56A (envelope-from ) for ; Sat, 11 Mar 2023 12:01:08 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id KD8BBnRfDGRdNQAAG6o9tA (envelope-from ) for ; Sat, 11 Mar 2023 12:01:08 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3C89BC6D9 for ; Sat, 11 Mar 2023 12:01:07 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pawxj-0004pt-LY; Sat, 11 Mar 2023 06:00:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pawxe-0004h8-Cd for emacs-orgmode@gnu.org; Sat, 11 Mar 2023 06:00:27 -0500 Received: from out162-62-57-64.mail.qq.com ([162.62.57.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pawxa-00032S-6u for emacs-orgmode@gnu.org; Sat, 11 Mar 2023 06:00:26 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1678532408; bh=8EQYX8TuvJ2YBj5hkaT1benZfDOMu2XFRbuU90A8O/U=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=m1aPEIYGhLf51V2m8tZzJPK+fmhbrp5D5QXncW1HpCp5DD75qhJ/TKbizxJpHHPlw YVIdli8U35z94dxpqZrwyh1JAizS2gO6f2jkCbYoER0s7noQJbTK5q8GN3Ny1TawC9 H1ETgMtQVc6m9gbmeMiwJtc8+Bycxj2+Lb0T1rWs= Received: from [IPv6:240e:399:e6f:ee32:f815:4044:ba50:97f9] ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszc2-0.qq.com (NewEsmtp) with SMTP id E7803A96; Sat, 11 Mar 2023 18:57:56 +0800 X-QQ-mid: xmsmtpt1678532276t2z22aosm Message-ID: X-QQ-XMAILINFO: Nd3+k7TdeYPatw+h2/sBGP/kaE7EjA6pzDCzjO003d26JQFVYCEqRpQZwf7AeG wFHtSPkYrz539Zt82n9p2e3ySJQrahxSloDnybYBhg9PCYScM1G2FTcTPwf6/GlfeQDXYPfXwAKo Q7r6xxQGfSzUkdhrLbve2XlA872GD+/qlKung+3r7U7363i8vhIH0UxKktgAhFmcaCgJipn+JsXR OgOF629UYBLM/oluJXIaanV9fFTAL9RpXp9HdG2DThHMP+szHgr8zHZ7G8hf5EvjcMTXGgsoWcJV z8RzfdNa8t776xv3MexM4shuvUq2jKazazxXV0LsrcPIqWEqiMc2XJeq+tc3wy7wpfA0Vmpebkfb WD8JgjfA/K5IptiMx/Q7b74CBBuIW10jxz5Wgqb+WoeNifFv9EKj1s8G5I3u+Wr8K5TR02OuR8No /g15OB1E+hCqoDYff2w9QkY66pe31TEBv2gUGF9hM8DGo97ZgGAtdD+LtExi1eZ6hNBE1IoQOt8u +1MieTfDWm3ey0Cjop3iT6hyhRTXV7dXcuo+OBhVLSYJPJKfdmJYH8tEtihEaOUBoDGsMLgrPUOz ipnRw3g5Qr+Gy7X/MKHACkchLm0JCDVFbBfqTB8AfAQBKUdWkN05xeVrKetwkWYNhuFTLC0t7rsD EGNgaMG9D/hqxt6ggHMe4JU+yhdmKT+2pYlhbWBabmYIrEbo/jxrCN7/iWlCEWDogAuhnAOBNkDo RL9zjFTuWJFrvrvPf5lrOsG4ArJwRHA0IjZqQYJWblv59gCqXHIpxyquFwhiuCUZtwi/k1HQ7Efq 7NrdqoogF9NnLuzEK/dndvEUfD/lEVRn6xtLXR11G2DJ2QRaIc/IsogzBU3Q+Z7KuJZemw++cDbh QJlwhDuQ0hsSoKd2RIGLcSsiyROSLKInJB4acWARRy4KwCEIQDt7jZ2Q8sNSj1y0/fW3fG0CjLcN BHw07pS+gQ4VJRTbC1skvRKNIWmWsF X-OQ-MSGID: <62f6c7ebccedac6bc484cc4443625f434eeb6966.camel@shellcodes.org> Subject: Re: [PATCH] Fix ob-latex.el command injection vulnerability. From: lux To: Ihor Radchenko Cc: Max Nikulin , emacs-orgmode@gnu.org Date: Sat, 11 Mar 2023 18:57:55 +0800 In-Reply-To: <87wn3nwomf.fsf@localhost> References: <87v8jzjj1p.fsf@localhost> <047b7367-c98f-e531-b3e9-bc50b6b098e5@gmail.com> <871qlyqfm0.fsf@localhost> <87wn3nwomf.fsf@localhost> Content-Type: multipart/mixed; boundary="=-bTHOAZV0nVMs5Tukefvl" User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 Received-SPF: none client-ip=162.62.57.64; envelope-from=lx@shellcodes.org; helo=out162-62-57-64.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=qq.com header.s=s201512 header.b=m1aPEIYG; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1678532467; a=rsa-sha256; cv=none; b=TLgkuDPlY3aS4mpY8Sh+FznxOliery0BqK0jj65ecU0NtPg4DxVuNGeCBUf1AuJ4pbSBYk cQbcqbvsLtNrCF/P00awoH8O9OOi0vFnk1Ro1T8IdP1cDndp8N9ioSaACeIJAYbVd+JN3C SWdkbr74bvMmjhOW1qyb2qBFDtPcgG+35Cm9k4XG1Kj1wWgPl3hz0tj/lIw5H7ybRTCxHY dpXGPso2dF/KQ7ai1G/Ud/gByQ2faxlx3AVFUGCXBMHW/V1BBAAL0SDa1JoAoStQINFkbe /guipmx3OtsKgLJizqXThFBPYkTo+H4Z4tv3fHOueHaac9Xsq6T/6iEnJCxe7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1678532467; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=8EQYX8TuvJ2YBj5hkaT1benZfDOMu2XFRbuU90A8O/U=; b=H6PECzsx8vtX3YGT/W+B9hr0/p3NYw/d/MiDkOT+I4AS3DoRLPtH0lwLyx9cOig7MVWhf+ CZ6q9qZ5vzxZPWImboDgNChnUqhvlHuOsxBcW6JdBhQQ2PgZp/YT0b+YskSzxlPeMyyTfi 09k9NcLICm4IKS9cpjgkakVIS9oP3onEpd5Zy7P2VT7s3o82QMCj1rQSLhk8RTukZYs+Xt KCd+JoE0q6NNMle5DDyIf/JR2U1jqax2Abq+w05zvLhaUilNxEUuBEkKId+fyCuDhXSDTh 8SER2Acyl/rRjn31HS5PKTpL6sdh9ZlK4b0URPTHt64WKQEDoZFXAbhMl+CyEQ== X-Migadu-Spam-Score: -4.42 X-Spam-Score: -4.42 X-Migadu-Queue-Id: 3C89BC6D9 X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=qq.com header.s=s201512 header.b=m1aPEIYG; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=none X-TUID: DttfUqTbfbPP --=-bTHOAZV0nVMs5Tukefvl Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2023-03-11 at 10:47 +0000, Ihor Radchenko wrote: >=20 > I am afraid that we cannot make things universally safe here without > breaking changes. The best way will be treating :cmd and similar > header > args as unsafe and include them into the planned safety prompt system > we > discussed in https://orgmode.org/list/87edsd5o89.fsf@localhost >=20 Ok, I'll undo this part of the changes first, and repost patch. --=-bTHOAZV0nVMs5Tukefvl Content-Disposition: attachment; filename*0=0001-lisp-ob-latex.el-Fix-command-injection-vulnerability.pat; filename*1=ch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-lisp-ob-latex.el-Fix-command-injection-vulnerability.patch"; charset="UTF-8" RnJvbSBiNDg3ODRhMTZjNTgwNjY5NDQ5OGYwNzJmZmRkOThlNWEzYzE0NGI1IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFNhdCwg MTEgTWFyIDIwMjMgMTg6NTM6MzcgKzA4MDAKU3ViamVjdDogW1BBVENIXSAqIGxpc3Avb2ItbGF0 ZXguZWw6IEZpeCBjb21tYW5kIGluamVjdGlvbiB2dWxuZXJhYmlsaXR5Cgoob3JnLWJhYmVsLWV4 ZWN1dGU6bGF0ZXgpOgpSZXBsYWNlZCB0aGUgYChzaGVsbC1jb21tYW5kICJtdiBCQVIgTkVXQkFS IiknIHdpdGggYHJlbmFtZS1maWxlJy4KLS0tCiBsaXNwL29iLWxhdGV4LmVsIHwgMTMgKysrKyst LS0tLS0tLQogMSBmaWxlIGNoYW5nZWQsIDUgaW5zZXJ0aW9ucygrKSwgOCBkZWxldGlvbnMoLSkK CmRpZmYgLS1naXQgYS9saXNwL29iLWxhdGV4LmVsIGIvbGlzcC9vYi1sYXRleC5lbAppbmRleCBh MmMyNGIzZDkuLmNlMzk2MjhkNiAxMDA2NDQKLS0tIGEvbGlzcC9vYi1sYXRleC5lbAorKysgYi9s aXNwL29iLWxhdGV4LmVsCkBAIC0yMTgsMTcgKzIxOCwxNCBAQCBUaGlzIGZ1bmN0aW9uIGlzIGNh bGxlZCBieSBgb3JnLWJhYmVsLWV4ZWN1dGUtc3JjLWJsb2NrJy4iCiAJICAgIChpZiAoc3RyaW5n LXN1ZmZpeC1wICIuc3ZnIiBvdXQtZmlsZSkKIAkJKHByb2duCiAJCSAgKHNoZWxsLWNvbW1hbmQg InB3ZCIpCi0JCSAgKHNoZWxsLWNvbW1hbmQgKGZvcm1hdCAibXYgJXMgJXMiCi0JCQkJCSAoY29u Y2F0IChmaWxlLW5hbWUtc2Fucy1leHRlbnNpb24gdGV4LWZpbGUpICItMS5zdmciKQotCQkJCQkg b3V0LWZpbGUpKSkKKyAgICAgICAgICAgICAgICAgIChyZW5hbWUtZmlsZSAoY29uY2F0IChmaWxl LW5hbWUtc2Fucy1leHRlbnNpb24gdGV4LWZpbGUpICItMS5zdmciKQorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIG91dC1maWxlIHQpKQogCSAgICAgIChlcnJvciAiU1ZHIGZpbGUgcHJv ZHVjZWQgYnV0IEhUTUwgZmlsZSByZXF1ZXN0ZWQiKSkpCiAJICAgKChmaWxlLWV4aXN0cy1wIChj b25jYXQgKGZpbGUtbmFtZS1zYW5zLWV4dGVuc2lvbiB0ZXgtZmlsZSkgIi5odG1sIikpCiAJICAg IChpZiAoc3RyaW5nLXN1ZmZpeC1wICIuaHRtbCIgb3V0LWZpbGUpCi0JCShzaGVsbC1jb21tYW5k ICJtdiAlcyAlcyIKLQkJCSAgICAgICAoY29uY2F0IChmaWxlLW5hbWUtc2Fucy1leHRlbnNpb24g dGV4LWZpbGUpCi0JCQkJICAgICAgICIuaHRtbCIpCi0JCQkgICAgICAgb3V0LWZpbGUpCi0JICAg ICAgKGVycm9yICJIVE1MIGZpbGUgcHJvZHVjZWQgYnV0IFNWRyBmaWxlIHJlcXVlc3RlZCIpKSkp KQorICAgICAgICAgICAgICAgIChyZW5hbWUtZmlsZSAoY29uY2F0IChmaWxlLW5hbWUtc2Fucy1l eHRlbnNpb24gdGV4LWZpbGUpICIuaHRtbCIpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAg IG91dC1maWxlIHQpCisgICAgICAgICAgICAgIChlcnJvciAiSFRNTCBmaWxlIHByb2R1Y2VkIGJ1 dCBTVkcgZmlsZSByZXF1ZXN0ZWQiKSkpKSkKIAkgKChvciAoc3RyaW5nPSAicGRmIiBleHRlbnNp b24pIGltYWdlbWFnaWNrKQogCSAgKHdpdGgtdGVtcC1maWxlIHRleC1maWxlCiAJICAgIChyZXF1 aXJlICdveC1sYXRleCkKLS0gCjIuMzkuMgoK --=-bTHOAZV0nVMs5Tukefvl--