Re: [Orgmode] [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output
Hi, Thanks for raising this issue up. While I don't consider it a security issue (code blocks are already executing arbitrary code on your system), it is certainly a failure in the parsing of input from scripting languages (actually any language which has single-quote delimited strings). I just pushed up a fix which should resolve these issues (and some related issues) in ruby python and Haskell. The following example now executes as expected for me. Thanks for the report -- Eric ** reading from single-quote-delim languages #+BEGIN_SRC python return [['607', 'Show license short, name on the deed'], ['255', '(message (concat 'hello ' 'world))]] #+END_SRC #+results: | 607 | Show license short, name on the deed | | 255 | '(message (concat 'hello ' 'world)) | #+begin_src ruby [['607', 'Show license, short name on the deed'], ['255', ))'(message (concat 'hello ' 'world]] #+end_src #+results: | 607 | Show license, short name on the deed | | 255 | ))'(message (concat 'hello ' 'world | #+begin_src haskell [['single quotes', b], [\double quotes\, d]] #+end_src #+results: | 'single quotes' | b | | double quotes | d | Christopher Allan Webber cweb...@dustycloud.org writes: I worry about this a bit because of the possible security issue: the ability to execute arbitrary code, since the structure that gets constructed is eval'ed. eg: #+BEGIN_SRC python return [['607', 'Show license short name on the deed'], ['255', '))(message (concat 'hello ' 'world]] #+END_SRC That constructs a set of listp objects which are evaluated and look like: '((607 Show license short name on the deed) (255 )) (message (concat hello world)) It doesn't seem like the second one is being evaluated but it makes me nervous that it's being passed through eval like this at all. Christopher Allan Webber cweb...@dustycloud.org writes: It looks like \' and are not being escaped in org-babel-python-table-or-string, which is the problem. Christopher Allan Webber cweb...@dustycloud.org writes: Strings with quotes in them aren't having the inner quotes escaped right while read by ob-python in python. Example: #+BEGIN_SRC python return [['607', 'Show license short name on the deed'], ['255', 'Smart 404 pages']] #+END_SRC #+results: | 607 | Show license short name on the deed | | | | 255 | | Smart | 404 pages | ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode
[Orgmode] [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output
Strings with quotes in them aren't having the inner quotes escaped right while read by ob-python in python. Example: #+BEGIN_SRC python return [['607', 'Show license short name on the deed'], ['255', 'Smart 404 pages']] #+END_SRC #+results: | 607 | Show license short name on the deed | | | | 255 | | Smart | 404 pages | ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode
Re: [Orgmode] [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output
It looks like \' and are not being escaped in org-babel-python-table-or-string, which is the problem. Christopher Allan Webber cweb...@dustycloud.org writes: Strings with quotes in them aren't having the inner quotes escaped right while read by ob-python in python. Example: #+BEGIN_SRC python return [['607', 'Show license short name on the deed'], ['255', 'Smart 404 pages']] #+END_SRC #+results: | 607 | Show license short name on the deed | | | | 255 | | Smart | 404 pages | ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode
Re: [Orgmode] [BUG] [Babel] Quotes-in-strings not being escaped in python, breaking output
I worry about this a bit because of the possible security issue: the ability to execute arbitrary code, since the structure that gets constructed is eval'ed. eg: #+BEGIN_SRC python return [['607', 'Show license short name on the deed'], ['255', '))(message (concat 'hello ' 'world]] #+END_SRC That constructs a set of listp objects which are evaluated and look like: '((607 Show license short name on the deed) (255 )) (message (concat hello world)) It doesn't seem like the second one is being evaluated but it makes me nervous that it's being passed through eval like this at all. Christopher Allan Webber cweb...@dustycloud.org writes: It looks like \' and are not being escaped in org-babel-python-table-or-string, which is the problem. Christopher Allan Webber cweb...@dustycloud.org writes: Strings with quotes in them aren't having the inner quotes escaped right while read by ob-python in python. Example: #+BEGIN_SRC python return [['607', 'Show license short name on the deed'], ['255', 'Smart 404 pages']] #+END_SRC #+results: | 607 | Show license short name on the deed | | | | 255 | | Smart | 404 pages | ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode ___ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode
