On 18/08/2023 15:43, Ihor Radchenko wrote:
Max Nikulin writes:#+begin_src sqlite :db '(literal "/tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)") select 1 #+end_srcHandling lisp values in header arguments is much more general issue not tied to ob-sql or even to running shell commands. It should be addressed alongside with https://orgmode.org/list/87edsd5o89.fsf@localhost
Ihor, this is a list, not an expression to be evaluated. There are some conditions to avoid user prompts for strings, lists, etc. They are considered safe.
This particular case is handled namely by ob-sqlite and the proposed function in org-macs.
