On 10.02.2024 00:04, Ihor Radchenko wrote:
gerard.vermeu...@posteo.net writes:I have a direct use for org-latex-toc-command being a file local safe variable and I looked a bit around for other variables not being file local safe for no good reason IMO (why those not, while similar variables yes). I have attached a patch which makes six variables file local safe.Thanks! I agree about all but org-latex-toc-command. Although, I am not sure if org-latex-toc-command is really safe to set to arbitrary value.
You are right, it is not safe, BUT:The attached org file (not really malicious) shows how to create a malicious org file for any file local "safe" string variable in ox-latex when exporting
to latex and compiling with the -shell-escape option. Therefore, I attached a patch removing the :safe #'stringp from those variables.
malicious.org
Description: Binary data
0001-ox-latex-string-variables-are-not-file-local-safe.patch
Description: Binary data
