Max Nikulin <maniku...@gmail.com> writes: >> Even stripping quotes is unreliable when we use the example from >> docstring: 'literal:%i'. > > My idea is to recognize this case. If stripping is not performed then it > is necessary to detect if user command is safe. Otherwise apostrophe in > a formula (even after escaping) may cause leaking math to shell. I have > not figured out if it is possible to bypass double quotes, but extra > slashes may distort math expression. > > It is trivial to cause shell failure when single quotes are used around > %i. I am in doubts concerning double quotes. Perhaps stripping them is > more reliable.
May you list the cases to you propose to recognize? >> Attaching tentative patch that fixes the problem. > > I think it is in the right direction. > - Manual needs update as well. Yes, #+begin_src emacs-lisp (setq org-latex-to-mathml-convert-command "latexmlmath \"%i\" --presentationmathml=%o") #+end_src example in "LaTeX math snippets" section should be updated. (note to self) > - I would explicitly stress that quotes causes undefined or even > dangerous behavior. See e.g. the last paragraph > https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s07.html In ORG-NEWS? > - I expected it as bugfix. It is a breaking change. Also, only users who customized the variable may be prone to unexpected shell expansion. So, I do not see it as a critical bug. Hence, not for bugfix. > I have tried to add some unit tests, but I faced an issue with > `org-create-math-formula'. It creates temporary files in > `default-directory' and does not remove them on failure. Moreover, it > does not work in a container where git is not installed: > ... > Debugger entered--Lisp error: (file-missing "Searching for program" "No > such file or directory" "git") > > that is called from `find-file-hook'. with emacs -Q? -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>