在 2026/4/2 01:45, Ihor Radchenko 写道:
lux <[email protected]> writes:
The `org-babel-execute:plantuml' function does not properly escape the
`out-file' parameter when invoking the `inkscape' command. This leads to
a command injection vulnerability.
That's not really vulnerability.
Not when you can do command injection officially, via :cmdline header argument.
But it is indeed a bug.
- (org-babel-eval (format "inkscape %s -T -l %s" out-file out-file) ""))
+ (org-babel-eval (format "inkscape %s -T -l %s"
+ (shell-quote-argument out-file)
+ (shell-quote-argument out-file)) ""))
We should better use org-babel-process-file-name that also handles tramp
file names.
I am canceling the patch, in favor of the alternative fix.
Canceled.
Fixed, on main.
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=b9ba12c2c
:cmdline parameters also need to be modified, example:
#+begin_src plantuml :cmdline ";echo hi>/tmp/plantuml_test.txt"
:file "/tmp/xx.svg"
Bob -> Alice : hello
#+end_src
