On Sat, 2023-02-18 at 18:15 +0700, Max Nikulin wrote:
> On 18/02/2023 17:08, lux wrote:
> > - (shell-command (format "mv %s %s" img-out out-
> > file)))))
> > + (shell-command (format "mv %s %s" (shell-quote-
> > argument img-out) (shell-quote-argument out-file))))))
>
> Thank you for the patch. Certainly it is an improvement.
>
> Is there any reason why `rename-file' should be avoided here? I just
> have discovered this function, so I am unaware of possible pitfalls.
>
> (info "(elisp) Changing-Files")
> https://www.gnu.org/software/emacs/manual/html_node/elisp/Changing-Files.html#index-rename_002dfile
I think using `rename-file' is good idea. We should use the Emacs
built-in functions as much as possible instead of external shell
commands, becueas these more security.
From adc0c558b1b091bb4bef77901633f31344b7391a Mon Sep 17 00:00:00 2001
From: Xi Lu <l...@shellcodes.org>
Date: Sat, 18 Feb 2023 18:03:28 +0800
Subject: [PATCH] * lisp/ob-latex.el (org-babel-execute:latex): Fix command
injection vulnerability.
---
lisp/ob-latex.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el
index 428907a27..0d0a37a02 100644
--- a/lisp/ob-latex.el
+++ b/lisp/ob-latex.el
@@ -180,7 +180,7 @@ This function is called by `org-babel-execute-src-block'."
tmp-pdf
(list org-babel-latex-pdf-svg-process)
extension err-msg log-buf)))
- (shell-command (format "mv %s %s" img-out out-file)))))
+ (rename-file img-out out-file))))
((string-suffix-p ".tikz" out-file)
(when (file-exists-p out-file) (delete-file out-file))
(with-temp-file out-file
--
2.30.2
