From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id IMNxHtaMCmZ0KQAA62LTzQ:P1 (envelope-from ) for ; Mon, 01 Apr 2024 12:30:46 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id IMNxHtaMCmZ0KQAA62LTzQ (envelope-from ) for ; Mon, 01 Apr 2024 12:30:46 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1711967446; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Ig8PR2VYKqnfDKUFHWy46d7TT44TCTZtjil1MNgsJC4=; b=TyL4tJ/mac8Ou+sx8TF/WuS4RSzCPtNBbjc/oG0Gr0r1j6VrMx9Xpos71Sr/IJgrgO+/v/ 6MezoeSoDZvazNpCP56yTw2NAlDTKWtDvdISeypN3b7fKtYMmX6mYfqujUzz2arE3GjkDk WoIiRpZiLWBOGSz6jTyo45MWtGJvWTTddfrfCZsV4dXjwQTNSIJVXKSR0/da2fp18q2Crq RKsIYf3KXitSbnH8Fe1aezPdKJ3rYUr6ZRXT6/v+siImM9CDKPcJP07hLPpI1S/Jm0jfmg k64HgjLeK6Frfns3HfR8tvVbAc5NyF4XSGCrKey45u9O60o2L7AmT5aWcb8q4A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1711967446; a=rsa-sha256; cv=none; b=NFLS1ZwyoGpKXNkT2GNzf8KjvEkDxajz123y3UiIzyhEP1nVh0VGT3Hf1e1oiVQR68SNhS KYg8fRFTYdVnt4NWgALDU0UG/maah0uRD+K7ACqVayXfVVDkIN6JjjDoASvZcn5H+wxn5c nLN4lxau2b9y4g42CwYM9QB+TJljehTwBaTD91fmoPo+bDUoBe76JQQwkwRHo1CiY2RaFY RCoZQzUocULwNZTgCN6X/hqdJqyIHaEo1JVwn5i4FhlCBD7EXI9BtBjI2NcJg7opkeuLg6 gSi4Kc0LUjvoONjuRBw7tXrgmNGjw5ek4f8xoK+B7+KHQfco6GhGm6jGaxUqwA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 454117769B for ; Mon, 01 Apr 2024 12:30:45 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rrEvK-0003G4-4z; Mon, 01 Apr 2024 06:29:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rrEvI-0003Fd-PI for emacs-orgmode@gnu.org; Mon, 01 Apr 2024 06:29:52 -0400 Received: from ciao.gmane.io ([116.202.254.214]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rrEvH-0007oD-9n for emacs-orgmode@gnu.org; Mon, 01 Apr 2024 06:29:52 -0400 Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1rrEvF-0006Dt-L1 for emacs-orgmode@gnu.org; Mon, 01 Apr 2024 12:29:49 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: emacs-orgmode@gnu.org From: Max Nikulin Subject: Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command Date: Mon, 1 Apr 2024 17:29:40 +0700 Message-ID: References: <87wmr1rc2w.fsf@localhost> <874jdzjqkk.fsf@localhost> <6e49c590-ad27-4fb0-b1f2-6a89c60a0b58@gmail.com> <87msrncxhq.fsf@localhost> <735645dd-1ddf-4579-a6dd-2700f3e83c94@gmail.com> <87jzmdht2w.fsf@localhost> <87v852g64k.fsf@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla Thunderbird Content-Language: en-US, ru-RU In-Reply-To: <87v852g64k.fsf@localhost> Received-SPF: pass client-ip=116.202.254.214; envelope-from=geo-emacs-orgmode@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: 26 X-Spam_score: 2.6 X-Spam_bar: ++ X-Spam_report: (2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NML_ADSP_CUSTOM_MED=0.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: 454117769B X-Migadu-Scanner: mx11.migadu.com X-Migadu-Spam-Score: -0.56 X-Spam-Score: -0.56 X-TUID: B0EGiLm/nVOP On 31/03/2024 15:25, Ihor Radchenko wrote: > Max Nikulin writes: >> >> I think it is in the right direction. >> - Manual needs update as well. >> - I would explicitly stress that quotes causes undefined or even >> dangerous behavior. See e.g. the last paragraph >> https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html > > I have incorporated the above suggestions into the attached version of > the patch. Thanks, I have not tried the updated patch in action, but it looks like what I expect. > +++ b/etc/ORG-NEWS > @@ -13,6 +13,16 @@ Please send Org bug reports to mailto:emacs-orgmode@gnu.org. > > * Version 9.7 (not released yet) > ** Important announcements and breaking changes > +*** ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ shell-escape LaTeX code > + > +Previously, ~org-latex-to-mathml-convert-command~ and > +~org-latex-to-html-convert-command~ replaced %i placeholders with raw > +LaTeX fragment text, potentially triggering shell-expansion. > + > +Now, the %i placeholders are shell-escaped to prevent shell expansion. > + > +The existing customizations that assume no shell-escaping must be updated. > + I would consider explicit mention of stripping quotes +Previously, =%i= placeholders in the ~org-latex-to-mathml-convert-command~ and ~org-latex-to-html-convert-command~ user options were replaced with raw LaTeX fragment text, potentially triggering shell-expansion and incorrect result. Now, the =%i= placeholders are shell-escaped to prevent shell expansion. If you have single or double quotes around =%i= then update customizations and remove quotes.