[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Warn about shell-expansion in the docstring of org-latex-to-html-con
|
From: |
Ihor Radchenko |
|
Subject: |
Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command |
|
Date: |
Tue, 12 Mar 2024 13:03:01 +0000 |
Max Nikulin <manikulin@gmail.com> writes:
>> Even stripping quotes is unreliable when we use the example from
>> docstring: 'literal:%i'.
>
> My idea is to recognize this case. If stripping is not performed then it
> is necessary to detect if user command is safe. Otherwise apostrophe in
> a formula (even after escaping) may cause leaking math to shell. I have
> not figured out if it is possible to bypass double quotes, but extra
> slashes may distort math expression.
>
> It is trivial to cause shell failure when single quotes are used around
> %i. I am in doubts concerning double quotes. Perhaps stripping them is
> more reliable.
May you list the cases to you propose to recognize?
>> Attaching tentative patch that fixes the problem.
>
> I think it is in the right direction.
> - Manual needs update as well.
Yes,
#+begin_src emacs-lisp
(setq org-latex-to-mathml-convert-command
"latexmlmath \"%i\" --presentationmathml=%o")
#+end_src
example in "LaTeX math snippets" section should be updated. (note to self)
> - I would explicitly stress that quotes causes undefined or even
> dangerous behavior. See e.g. the last paragraph
> https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html
In ORG-NEWS?
> - I expected it as bugfix.
It is a breaking change.
Also, only users who customized the variable may be prone to unexpected
shell expansion. So, I do not see it as a critical bug.
Hence, not for bugfix.
> I have tried to add some unit tests, but I faced an issue with
> `org-create-math-formula'. It creates temporary files in
> `default-directory' and does not remove them on failure. Moreover, it
> does not work in a container where git is not installed:
> ...
> Debugger entered--Lisp error: (file-missing "Searching for program" "No
> such file or directory" "git")
>
> that is called from `find-file-hook'.
with emacs -Q?
--
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at <https://orgmode.org/>.
Support Org development at <https://liberapay.com/org-mode>,
or support my work at <https://liberapay.com/yantar92>
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/05
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/08
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/09
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command,
Ihor Radchenko <=
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/13
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/15
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/18
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Max Nikulin, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/19
- fixup! and git, Max Nikulin, 2024/03/19
- Re: fixup! and git, Ihor Radchenko, 2024/03/19
- Re: Warn about shell-expansion in the docstring of org-latex-to-html-convert-command, Ihor Radchenko, 2024/03/31