From: Max Nikulin <manikulin@gmail.com>
To: emacs-orgmode@gnu.org
Subject: Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command
Date: Sat, 9 Mar 2024 22:23:49 +0700 [thread overview]
Message-ID: <ushuu6$hpn$1@ciao.gmane.io> (raw)
In-Reply-To: <87jzmdht2w.fsf@localhost>
On 08/03/2024 18:16, Ihor Radchenko wrote:
> Max Nikulin writes:
>
> I decided not to introduce stdin. User can always use echo %i | ... instead.
printf "%%s" %i
should be safer. However in this particular case, input that may be
recognized like echo options ("-n") should be wrapped with LaTeX delimiters.
> Even stripping quotes is unreliable when we use the example from
> docstring: 'literal:%i'.
My idea is to recognize this case. If stripping is not performed then it
is necessary to detect if user command is safe. Otherwise apostrophe in
a formula (even after escaping) may cause leaking math to shell. I have
not figured out if it is possible to bypass double quotes, but extra
slashes may distort math expression.
It is trivial to cause shell failure when single quotes are used around
%i. I am in doubts concerning double quotes. Perhaps stripping them is
more reliable.
> Attaching tentative patch that fixes the problem.
I think it is in the right direction.
- Manual needs update as well.
- I would explicitly stress that quotes causes undefined or even
dangerous behavior. See e.g. the last paragraph
https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html
- I expected it as bugfix.
I have tried to add some unit tests, but I faced an issue with
`org-create-math-formula'. It creates temporary files in
`default-directory' and does not remove them on failure. Moreover, it
does not work in a container where git is not installed:
Debugger entered--Lisp error: (file-missing "Searching for program" "No
such file or directory" "git")
that is called from `find-file-hook'.
(ert-deftest test-org/create-math-formula ()
"Test shell special characters escaping in `org-create-math-formula'."
(let ((org-latex-to-mathml-convert-command
"printf \"<math
xmlns=\\\"http://www.w3.org/1998/Math/MathML\\\"><I%%sI></math>\" %i >%o"))
;; No backslashes added by `shell-quote-argumet'
;; are leaked to command arguments. dash(1) "Double Quotes":
;;
;; The backslash inside double quotes is historically weird,
;; and serves to quote only the following characters:
;; $ ` " \ <newline>.
;; Otherwise it remains literal.
(should
(equal "<I(|)`[[\\]]{}#$'!I>"
(org-create-math-formula "(|)`[[\\]]{}#$'!")))
;; Multiple words
(should
(equal "<Iwords ; |I>"
(org-create-math-formula "words ; |")))
;; Bypass single quote
(should
(equal "<Iapostrophe' ; |I>"
(org-create-math-formula "apostrophe' ; |")))
;; Bypass double quote
(should
(equal "<Iquote\" ; |I>"
(org-create-math-formula "quote\" ; |")))))
next prev parent reply other threads:[~2024-03-09 15:25 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-16 23:10 Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Martin Edström
2024-02-18 16:06 ` Ihor Radchenko
2024-02-18 18:56 ` Martin Edström
2024-02-18 19:36 ` Martin Edström
2024-02-19 8:30 ` Ihor Radchenko
2024-02-21 14:38 ` Max Nikulin
2024-02-21 14:57 ` Martin Edström
2024-02-21 15:04 ` Martin Edström
2024-02-21 15:08 ` Martin Edström
2024-02-23 12:46 ` Ihor Radchenko
2024-02-25 10:41 ` Max Nikulin
2024-02-26 10:48 ` Ihor Radchenko
2024-02-26 16:37 ` Max Nikulin
2024-03-08 11:16 ` Ihor Radchenko
2024-03-09 15:23 ` Max Nikulin [this message]
2024-03-10 5:02 ` [PATCH] Unit tests for function calling MathML converters (Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command) Max Nikulin
2024-03-31 8:27 ` Ihor Radchenko
2024-04-01 10:39 ` Max Nikulin
2024-04-01 11:23 ` Ihor Radchenko
2024-03-12 13:03 ` Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Ihor Radchenko
2024-03-13 14:27 ` Max Nikulin
2024-03-15 13:49 ` Ihor Radchenko
2024-03-18 10:50 ` Max Nikulin
2024-03-19 14:48 ` Ihor Radchenko
2024-03-19 14:49 ` Ihor Radchenko
2024-03-19 16:22 ` Max Nikulin
2024-03-19 16:27 ` Ihor Radchenko
2024-03-19 16:45 ` fixup! and git Max Nikulin
2024-03-19 16:50 ` Ihor Radchenko
2024-03-31 8:25 ` Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Ihor Radchenko
2024-04-01 10:29 ` Max Nikulin
2024-04-01 11:15 ` Ihor Radchenko
2024-03-05 12:01 ` Max Nikulin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ushuu6$hpn$1@ciao.gmane.io' \
--to=manikulin@gmail.com \
--cc=emacs-orgmode@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).