From 62f9d32decdd078633e51ea9fa30fdb000b6de51 Mon Sep 17 00:00:00 2001 From: Xi Lu Date: Wed, 8 Mar 2023 23:28:32 +0800 Subject: [PATCH] * lisp/ob-latex.el: Fix command injection vulnerability (org-babel-execute:latex): Fix command injection vulnerability (org-babel-latex-convert-pdf): Add `shell-quote-argument' --- lisp/ob-latex.el | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el index a2c24b3d9..2315a8b7c 100644 --- a/lisp/ob-latex.el +++ b/lisp/ob-latex.el @@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'." (if (string-suffix-p ".svg" out-file) (progn (shell-command "pwd") - (shell-command (format "mv %s %s" - (concat (file-name-sans-extension tex-file) "-1.svg") - out-file))) + (rename-file (concat (file-name-sans-extension tex-file) "-1.svg") + out-file t)) (error "SVG file produced but HTML file requested"))) ((file-exists-p (concat (file-name-sans-extension tex-file) ".html")) (if (string-suffix-p ".html" out-file) - (shell-command "mv %s %s" - (concat (file-name-sans-extension tex-file) - ".html") - out-file) - (error "HTML file produced but SVG file requested"))))) + (rename-file (concat (file-name-sans-extension tex-file) ".html") + out-file t) + (error "HTML file produced but SVG file requested"))))) ((or (string= "pdf" extension) imagemagick) (with-temp-file tex-file (require 'ox-latex) @@ -277,8 +274,10 @@ This function is called by `org-babel-execute-src-block'." (defun org-babel-latex-convert-pdf (pdffile out-file im-in-options im-out-options) "Generate a file from a pdf file using imagemagick." - (let ((cmd (concat "convert " im-in-options " " pdffile " " - im-out-options " " out-file))) + (let ((cmd (concat "convert " (shell-quote-argument im-in-options) " " + (shell-quote-argument pdffile) " " + (shell-quote-argument im-out-options) " " + (shell-quote-argument out-file)))) (message "Converting pdffile file %s..." cmd) (shell-command cmd))) -- 2.39.2