On Sat, 2023-02-18 at 11:43 +0000, Ihor Radchenko wrote:
> lux <l...@shellcodes.org> writes:
>
> > - (shell-command (format "mv %s %s" img-out out-
> > file)))))
> > + (rename-file img-out out-file))))
>
> I think should be (rename-file img-out out-file t)
>
Fixed, thank you.
From adc0c558b1b091bb4bef77901633f31344b7391a Mon Sep 17 00:00:00 2001
From: Xi Lu <l...@shellcodes.org>
Date: Sat, 18 Feb 2023 18:03:28 +0800
Subject: [PATCH] * lisp/ob-latex.el (org-babel-execute:latex): Fix command
injection vulnerability.
---
lisp/ob-latex.el | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el
index 428907a27..0d0a37a02 100644
--- a/lisp/ob-latex.el
+++ b/lisp/ob-latex.el
@@ -180,7 +180,7 @@ This function is called by `org-babel-execute-src-block'."
tmp-pdf
(list org-babel-latex-pdf-svg-process)
extension err-msg log-buf)))
- (shell-command (format "mv %s %s" img-out out-file)))))
+ (rename-file img-out out-file t))))
((string-suffix-p ".tikz" out-file)
(when (file-exists-p out-file) (delete-file out-file))
(with-temp-file out-file
--
2.30.2
