From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id UGhfC5StCGQ1qgAASxT56A (envelope-from ) for ; Wed, 08 Mar 2023 16:45:24 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id sPNaC5StCGQEGQEAauVa8A (envelope-from ) for ; Wed, 08 Mar 2023 16:45:24 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C875C1F830 for ; Wed, 8 Mar 2023 16:45:23 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=qq.com header.s=s201512 header.b=w1hCEdwb; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1678290324; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=2QHrkZnNy0cmssD8xbamybAQwoHKXdAe3AFD6CXPmoo=; b=pnav8sqNvLRnQhPqAcUweSmc/pv287It1zETBZ6RXKYZIqXUuVNlcbFZFEh9nMMDVWb1Y8 3ABmZL4wqRfE8J6ITeKVz2+XJes8Xk9mnp+g2HtXwvUu5tdCiVSuEfxk6zJvp1yDczhmQ7 e/b8Dmqi+2RLIWCDQWF2H8xWPSUXFJ8+N9vMy3vAdHzVCH5XSi62irPZ9y8Nccp1pk1ecs 1WGmQDYvhpeZTJ9Dc1vHMO5XonnNzEMFP+4YMTph0ci9IPpGj8uaDF9udNmOXFjqjY/bTf knX0fJQaiZKT3zsf2HrfmSr/Wk8LsnP5MWXYdn4/x9xQiBtjI+v8thpD8vmvzw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1678290324; a=rsa-sha256; cv=none; b=W8w/5qwJM4rKJf5EGVjPhM+J436MnGkLGyuERh/H+hk3a8lWYuQzmlyOGs4KIEqYJDSyoN +EQ/Ygh/PSIsfTlxPAMWp8KuBrZ8FN+iGKugcVuZYDuB2dDwLQJTkQYtcT6E02QtkSkg0g l/TNIwizb/nJjKjb0+N0QS3/ri2mDz6nCz30/wyBjwuOk5ovbRkK7JBlhKdLo5y5EyD7US 08BjSQVjMEZ1TR6mYtfFwHKlTa0fmW9Dy+8wc0LPkpYRSQVqI1tS67eakHfg912qHD8US4 SylQpmbEodO4AIObyjis3qMq8R7DEpiyRc9QpKxX2kehLxYXN072k6A1GOz72A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=qq.com header.s=s201512 header.b=w1hCEdwb; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=none Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pZvy0-0008UV-6h; Wed, 08 Mar 2023 10:44:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZvxz-0008UJ-D8 for emacs-orgmode@gnu.org; Wed, 08 Mar 2023 10:44:35 -0500 Received: from out162-62-58-216.mail.qq.com ([162.62.58.216]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pZvxv-0006Ac-UW for emacs-orgmode@gnu.org; Wed, 08 Mar 2023 10:44:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1678290260; bh=2QHrkZnNy0cmssD8xbamybAQwoHKXdAe3AFD6CXPmoo=; h=Subject:From:To:Date:In-Reply-To:References; b=w1hCEdwbjmp4OFLKFR/kvwxDCTwSdlLfCvg+XAuRwcD7Snte/ITp0CQRBbn0nVV1c m4VyEXuY3piOzeOno/SfPMXSk/3DN312R99eXF6YgaB6lCQSqHnzrvlyzSo4mrlAdW YBpVOy3PTWS9XVu6chx3TqfKKcxE1HcNlNYz38QU= Received: from [IPv6:240e:399:e6f:ee32:f815:4044:ba50:97f9] ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrszb9-0.qq.com (NewEsmtp) with SMTP id ABA84496; Wed, 08 Mar 2023 23:42:58 +0800 X-QQ-mid: xmsmtpt1678290178teia72gca Message-ID: X-QQ-XMAILINFO: MyIXMys/8kCtpMhprMYlAMNjA4OB6VdLaBXPWkhl3oV9tOybVpKWcHJaHt0tsZ bnS8srquXJeWvaxgB5xvLp7jOOOcfK6lsiJQsegltxa0XYaDSFQoRkS6KCWLNS2/4/24btG47ERF On8pF4b57vWH7rxvc/qpJU9RMtwWvK98xmO/hCZ0TD9DCnVrdxckwkuvn1mZMQGdvq6g+KuiVAfK iO+rsBn3DGuoa+1o/MQmaK5kC8rETrk8CFOWI42vpmHTz9AwHwKKu0jMXsrUJnF3c7KSLEslSJGq cN6+I9IkoCPlMjlG7VxnO1gRMfGTFaM/VLTJHUBMEMY+gLpGNvZMjMUYkionaz3TRjYZ/CzX2Dkl /q1uX6BkCxXgBz+ducM3tGGm1F2eNLyMFp+HNNgXH/GiwSiBfVaXqSL40y17lo0nabzh3alMfQhv 4ZL6817hgKIRV/w5X8wpg+wk5+y6dRAU88TGFua4l09riX9tiOJr9nyXetUS1ZzYq7TS7PlckNvr g9soKfv/2pEEQkGgYRQq5/EE2wzHcxFxjN1wpWdpm6XsJtX7dzcQwlGIDq9AHki/NW9YI+qF2WZH iM72A3KUK2Y41zv4c4r5gTfQ4cEIaH5d7oRCoUK1njgz/lizRjAKB+u9NgFtYnlcKfcgvspF5Yxm V47jGSMW4ieUwFzf++LGdtw52oSU6LC9Sd7vTibGjOnprBqDJPphy39uBFHHMb7Cvcxht6lK2Hnv 6qI43qnVwi/DqhqV2Sw6TzJS5DBEcjgyJtOrVD7GcxHwmltoWrjr7kwZrIGj/kLjx/jLQtL+6nFm iwrymAJFKiaVuuxaG73eRAhDHaKsEszMWQerprRNwlS/xaM/TOhDeIbT7pMUZ74Kb5+BGglVaXja HHyc+4wEpUec+YoBmQe7J5ZTcgs73aciKJV+c4kovEbU2D02oUr3lzzSonBBx65pR+Y2Lus+DkF7 Hugx/xqzy8XeH46zAUa+8Svv6FHdI+VaGNU4yUO9Y= X-OQ-MSGID: Subject: Re: [PATCH] Fix ob-latex.el command injection vulnerability. From: lux To: Max Nikulin , emacs-orgmode@gnu.org Date: Wed, 08 Mar 2023 23:42:58 +0800 In-Reply-To: <047b7367-c98f-e531-b3e9-bc50b6b098e5@gmail.com> References: <87v8jzjj1p.fsf@localhost> <047b7367-c98f-e531-b3e9-bc50b6b098e5@gmail.com> Content-Type: multipart/mixed; boundary="=-hIkSrGOJJdEhQHdkmJI7" User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 Received-SPF: none client-ip=162.62.58.216; envelope-from=lx@shellcodes.org; helo=out162-62-58-216.mail.qq.com X-Spam_score_int: 44 X-Spam_score: 4.4 X-Spam_bar: ++++ X-Spam_report: (4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_SBL_CSS=3.335, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: X-Migadu-Scanner: scn0.migadu.com X-Migadu-Queue-Id: C875C1F830 X-Spam-Score: -10.22 X-Migadu-Spam-Score: -10.22 List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-TUID: VtrPaBDI+lHU --=-hIkSrGOJJdEhQHdkmJI7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2023-03-07 at 22:31 +0700, Max Nikulin wrote: > On 06/03/2023 10:17, lux wrote: > > On Sat, 2023-02-18 at 11:43 +0000, Ihor Radchenko wrote: > > >=20 > > > I think should be (rename-file img-out out-file t) > >=20 > > Fixed, thank you. >=20 > There are a couple more mv shell commands in ob-latex.el. It would be > nice to fix them as well. Sorry, I have not checked it earlier. Are > you=20 > still interested in this topic? I hope, you already have examples > that=20 > can be used to quickly test if modified code works as expected. Hi, this is a new patch, let me briefly explain this patch: 1. Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'. 2. `org-babel-latex-convert-pdf' is not safe, simple test: (org-babel-latex-convert-pdf ";id;.tex" ";uname;.pdf" "" "") So, add `shell-quote-argument' to each external parameter. --=-hIkSrGOJJdEhQHdkmJI7 Content-Disposition: attachment; filename*0=0001-lisp-ob-latex.el-Fix-command-injection-vulnerability.pat; filename*1=ch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-lisp-ob-latex.el-Fix-command-injection-vulnerability.patch"; charset="UTF-8" RnJvbSA2MmY5ZDMyZGVjZGQwNzg2MzNlNTFlYTlmYTMwZmRiMDAwYjZkZTUxIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBYaSBMdSA8bHhAc2hlbGxjb2Rlcy5vcmc+CkRhdGU6IFdlZCwg OCBNYXIgMjAyMyAyMzoyODozMiArMDgwMApTdWJqZWN0OiBbUEFUQ0hdICogbGlzcC9vYi1sYXRl eC5lbDogRml4IGNvbW1hbmQgaW5qZWN0aW9uIHZ1bG5lcmFiaWxpdHkKCihvcmctYmFiZWwtZXhl Y3V0ZTpsYXRleCk6IEZpeCBjb21tYW5kIGluamVjdGlvbiB2dWxuZXJhYmlsaXR5CihvcmctYmFi ZWwtbGF0ZXgtY29udmVydC1wZGYpOiBBZGQgYHNoZWxsLXF1b3RlLWFyZ3VtZW50JwotLS0KIGxp c3Avb2ItbGF0ZXguZWwgfCAxOSArKysrKysrKystLS0tLS0tLS0tCiAxIGZpbGUgY2hhbmdlZCwg OSBpbnNlcnRpb25zKCspLCAxMCBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9saXNwL29iLWxh dGV4LmVsIGIvbGlzcC9vYi1sYXRleC5lbAppbmRleCBhMmMyNGIzZDkuLjIzMTVhOGI3YyAxMDA2 NDQKLS0tIGEvbGlzcC9vYi1sYXRleC5lbAorKysgYi9saXNwL29iLWxhdGV4LmVsCkBAIC0yMTgs MTcgKzIxOCwxNCBAQCBUaGlzIGZ1bmN0aW9uIGlzIGNhbGxlZCBieSBgb3JnLWJhYmVsLWV4ZWN1 dGUtc3JjLWJsb2NrJy4iCiAJICAgIChpZiAoc3RyaW5nLXN1ZmZpeC1wICIuc3ZnIiBvdXQtZmls ZSkKIAkJKHByb2duCiAJCSAgKHNoZWxsLWNvbW1hbmQgInB3ZCIpCi0JCSAgKHNoZWxsLWNvbW1h bmQgKGZvcm1hdCAibXYgJXMgJXMiCi0JCQkJCSAoY29uY2F0IChmaWxlLW5hbWUtc2Fucy1leHRl bnNpb24gdGV4LWZpbGUpICItMS5zdmciKQotCQkJCQkgb3V0LWZpbGUpKSkKKyAgICAgICAgICAg ICAgICAgIChyZW5hbWUtZmlsZSAoY29uY2F0IChmaWxlLW5hbWUtc2Fucy1leHRlbnNpb24gdGV4 LWZpbGUpICItMS5zdmciKQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG91dC1maWxl IHQpKQogCSAgICAgIChlcnJvciAiU1ZHIGZpbGUgcHJvZHVjZWQgYnV0IEhUTUwgZmlsZSByZXF1 ZXN0ZWQiKSkpCiAJICAgKChmaWxlLWV4aXN0cy1wIChjb25jYXQgKGZpbGUtbmFtZS1zYW5zLWV4 dGVuc2lvbiB0ZXgtZmlsZSkgIi5odG1sIikpCiAJICAgIChpZiAoc3RyaW5nLXN1ZmZpeC1wICIu aHRtbCIgb3V0LWZpbGUpCi0JCShzaGVsbC1jb21tYW5kICJtdiAlcyAlcyIKLQkJCSAgICAgICAo Y29uY2F0IChmaWxlLW5hbWUtc2Fucy1leHRlbnNpb24gdGV4LWZpbGUpCi0JCQkJICAgICAgICIu aHRtbCIpCi0JCQkgICAgICAgb3V0LWZpbGUpCi0JICAgICAgKGVycm9yICJIVE1MIGZpbGUgcHJv ZHVjZWQgYnV0IFNWRyBmaWxlIHJlcXVlc3RlZCIpKSkpKQorICAgICAgICAgICAgICAgIChyZW5h bWUtZmlsZSAoY29uY2F0IChmaWxlLW5hbWUtc2Fucy1leHRlbnNpb24gdGV4LWZpbGUpICIuaHRt bCIpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG91dC1maWxlIHQpCisgICAgICAgICAg ICAgIChlcnJvciAiSFRNTCBmaWxlIHByb2R1Y2VkIGJ1dCBTVkcgZmlsZSByZXF1ZXN0ZWQiKSkp KSkKIAkgKChvciAoc3RyaW5nPSAicGRmIiBleHRlbnNpb24pIGltYWdlbWFnaWNrKQogCSAgKHdp dGgtdGVtcC1maWxlIHRleC1maWxlCiAJICAgIChyZXF1aXJlICdveC1sYXRleCkKQEAgLTI3Nyw4 ICsyNzQsMTAgQEAgVGhpcyBmdW5jdGlvbiBpcyBjYWxsZWQgYnkgYG9yZy1iYWJlbC1leGVjdXRl LXNyYy1ibG9jaycuIgogCiAoZGVmdW4gb3JnLWJhYmVsLWxhdGV4LWNvbnZlcnQtcGRmIChwZGZm aWxlIG91dC1maWxlIGltLWluLW9wdGlvbnMgaW0tb3V0LW9wdGlvbnMpCiAgICJHZW5lcmF0ZSBh IGZpbGUgZnJvbSBhIHBkZiBmaWxlIHVzaW5nIGltYWdlbWFnaWNrLiIKLSAgKGxldCAoKGNtZCAo Y29uY2F0ICJjb252ZXJ0ICIgaW0taW4tb3B0aW9ucyAiICIgcGRmZmlsZSAiICIKLQkJICAgICBp bS1vdXQtb3B0aW9ucyAiICIgb3V0LWZpbGUpKSkKKyAgKGxldCAoKGNtZCAoY29uY2F0ICJjb252 ZXJ0ICIgKHNoZWxsLXF1b3RlLWFyZ3VtZW50IGltLWluLW9wdGlvbnMpICIgIgorICAgICAgICAg ICAgICAgICAgICAgKHNoZWxsLXF1b3RlLWFyZ3VtZW50IHBkZmZpbGUpICIgIgorCQkgICAgIChz aGVsbC1xdW90ZS1hcmd1bWVudCBpbS1vdXQtb3B0aW9ucykgIiAiCisgICAgICAgICAgICAgICAg ICAgICAoc2hlbGwtcXVvdGUtYXJndW1lbnQgb3V0LWZpbGUpKSkpCiAgICAgKG1lc3NhZ2UgIkNv bnZlcnRpbmcgcGRmZmlsZSBmaWxlICVzLi4uIiBjbWQpCiAgICAgKHNoZWxsLWNvbW1hbmQgY21k KSkpCiAKLS0gCjIuMzkuMgoK --=-hIkSrGOJJdEhQHdkmJI7--