[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Warn about shell-expansion in the docstring of org-latex-to-html-con
|
From: |
Max Nikulin |
|
Subject: |
Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command |
|
Date: |
Sat, 9 Mar 2024 22:23:49 +0700 |
|
User-agent: |
Mozilla Thunderbird |
On 08/03/2024 18:16, Ihor Radchenko wrote:
Max Nikulin writes:
I decided not to introduce stdin. User can always use echo %i | ... instead.
printf "%%s" %i
should be safer. However in this particular case, input that may be
recognized like echo options ("-n") should be wrapped with LaTeX delimiters.
Even stripping quotes is unreliable when we use the example from
docstring: 'literal:%i'.
My idea is to recognize this case. If stripping is not performed then it
is necessary to detect if user command is safe. Otherwise apostrophe in
a formula (even after escaping) may cause leaking math to shell. I have
not figured out if it is possible to bypass double quotes, but extra
slashes may distort math expression.
It is trivial to cause shell failure when single quotes are used around
%i. I am in doubts concerning double quotes. Perhaps stripping them is
more reliable.
Attaching tentative patch that fixes the problem.
I think it is in the right direction.
- Manual needs update as well.
- I would explicitly stress that quotes causes undefined or even
dangerous behavior. See e.g. the last paragraph
https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html
- I expected it as bugfix.
I have tried to add some unit tests, but I faced an issue with
`org-create-math-formula'. It creates temporary files in
`default-directory' and does not remove them on failure. Moreover, it
does not work in a container where git is not installed:
Debugger entered--Lisp error: (file-missing "Searching for program" "No
such file or directory" "git")
that is called from `find-file-hook'.
(ert-deftest test-org/create-math-formula ()
"Test shell special characters escaping in `org-create-math-formula'."
(let ((org-latex-to-mathml-convert-command
"printf \"<math
xmlns=\\\"http://www.w3.org/1998/Math/MathML\\\";><I%%sI></math>\" %i >%o"))
;; No backslashes added by `shell-quote-argumet'
;; are leaked to command arguments. dash(1) "Double Quotes":
;;
;; The backslash inside double quotes is historically weird,
;; and serves to quote only the following characters:
;; $ ` " \ <newline>.
;; Otherwise it remains literal.
(should
(equal "<I(|)`[[\\]]{}#$'!I>"
(org-create-math-formula "(|)`[[\\]]{}#$'!")))
;; Multiple words
(should
(equal "<Iwords ; |I>"
(org-create-math-formula "words ; |")))
;; Bypass single quote
(should
(equal "<Iapostrophe' ; |I>"
(org-create-math-formula "apostrophe' ; |")))
;; Bypass double quote
(should
(equal "<Iquote\" ; |I>"
(org-create-math-formula "quote\" ; |")))))
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/05
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/08
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command,
Max Nikulin <=
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/12
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/13
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/15
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/18
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/19