Max Nikulin <maniku...@gmail.com> writes: > It is documented as > " :cmdline <arg_1> ... [arg_n] > > Use the :cmdline header arg to pass arguments to a shell command." > > However current implementation allows code injection through args, > including a trivial one > > #+header-arg: :results verbatim > #+begin_src sh :cmdline 1 ; touch /tmp/not-an-arg > printf '%s\n' "$@" > #+end_src > > #+RESULTS: > : 1 > > "touch ..." *are not arguments of the script*. So users should be > careful to get documented behavior.
I do not see any way to address this concern without introducing feature regression. So, let's keep things as they are and maybe document that :cmdline ... is passed verbatim as shell command. >> What might be done is introducing _two_ different header arguments - one >> for interpreter switches, and another for script/program switches. >> >> Say, :interpreter-cmdline and :script-cmdline. >> Then, we can call the current :cmdline behaviour "dwim" and allow users >> to be more explicit if necessary. > > It is too easy to confuse org-babel, so "dwim" works in simple cases > only. Independent header arguments make things more clear, I would > prefer :script-args. The question is whether they should be interpreted > by shell (flexibility and shooting feet) or more strict syntax `("hello > world" 1 a) should be used. I like :script-args. The counterpart should then be :interpreter-args? The point of "dwim" is mostly to keep backwards-compatibility. We may discourage :cmdline for non-trivial cases. More strict syntax with '(<arga> <argb> <argc> ...) is possible for the new header arguments, not for the old :cmdline where the existing backends may not be able to understand the list format. -- Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>