lux <[email protected]> writes: > The `org-babel-execute:plantuml' function does not properly escape the > `out-file' parameter when invoking the `inkscape' command. This leads to > a command injection vulnerability.
That's not really vulnerability. Not when you can do command injection officially, via :cmdline header argument. But it is indeed a bug. > - (org-babel-eval (format "inkscape %s -T -l %s" out-file out-file) > "")) > + (org-babel-eval (format "inkscape %s -T -l %s" > + (shell-quote-argument out-file) > + (shell-quote-argument out-file)) "")) We should better use org-babel-process-file-name that also handles tramp file names. I am canceling the patch, in favor of the alternative fix. Canceled. Fixed, on main. https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=b9ba12c2c -- Ihor Radchenko // yantar92, Org mode maintainer, Learn more about Org mode at <https://orgmode.org/>. Support Org development at <https://liberapay.com/org-mode>, or support my work at <https://liberapay.com/yantar92>
