[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Fix ob-latex.el command injection vulnerability.
From: |
lux |
Subject: |
Re: [PATCH] Fix ob-latex.el command injection vulnerability. |
Date: |
Sat, 18 Feb 2023 19:28:40 +0800 |
User-agent: |
Evolution 3.46.3 (3.46.3-1.fc37) |
On Sat, 2023-02-18 at 18:15 +0700, Max Nikulin wrote:
> On 18/02/2023 17:08, lux wrote:
> > - (shell-command (format "mv %s %s" img-out out-
> > file)))))
> > + (shell-command (format "mv %s %s" (shell-quote-
> > argument img-out) (shell-quote-argument out-file))))))
>
> Thank you for the patch. Certainly it is an improvement.
>
> Is there any reason why `rename-file' should be avoided here? I just
> have discovered this function, so I am unaware of possible pitfalls.
>
> (info "(elisp) Changing-Files")
> https://www.gnu.org/software/emacs/manual/html_node/elisp/Changing-Files.html#index-rename_002dfile
I think using `rename-file' is good idea. We should use the Emacs
built-in functions as much as possible instead of external shell
commands, becueas these more security.
0001-lisp-ob-latex.el-org-babel-execute-latex-Fix-command.patch
Description: Text Data