Hi, Thanks for raising this issue up. While I don't consider it a security issue (code blocks are already executing arbitrary code on your system), it is certainly a failure in the parsing of input from scripting languages (actually any language which has single-quote delimited strings).
I just pushed up a fix which should resolve these issues (and some related issues) in ruby python and Haskell. The following example now executes as expected for me. Thanks for the report -- Eric ** reading from single-quote-delim languages #+BEGIN_SRC python return [['607', 'Show license short, name on the deed'], ['255', "'(message (concat 'hello ' 'world))"]] #+END_SRC #+results: | 607 | Show license short, name on the deed | | 255 | '(message (concat 'hello ' 'world)) | #+begin_src ruby [['607', 'Show license, short name on the deed'], ['255', "))'(message (concat 'hello ' 'world"]] #+end_src #+results: | 607 | Show license, short name on the deed | | 255 | ))'(message (concat 'hello ' 'world | #+begin_src haskell [["'single quotes'", "b"], ["\"double quotes\"", "d"]] #+end_src #+results: | 'single quotes' | b | | "double quotes" | d | Christopher Allan Webber <cweb...@dustycloud.org> writes: > I worry about this a bit because of the possible security issue: the > ability to execute arbitrary code, since the structure that gets > constructed is eval'ed. > > eg: > > #+BEGIN_SRC python > return [['607', 'Show license short name on the deed'], > ['255', "'))(message (concat 'hello ' 'world"]] > #+END_SRC > > That constructs a set of listp objects which are evaluated and look > like: > > '(("607" "Show license short name on the deed") ("255" "")) > (message (concat "hello " "world")) > > It doesn't seem like the second one is being evaluated but it makes me > nervous that it's being passed through eval like this at all. > > Christopher Allan Webber <cweb...@dustycloud.org> writes: > >> It looks like \' and " are not being escaped in >> org-babel-python-table-or-string, which is the problem. >> >> Christopher Allan Webber <cweb...@dustycloud.org> writes: >> >>> Strings with quotes in them aren't having the inner quotes escaped right >>> while read by ob-python in python. Example: >>> >>> #+BEGIN_SRC python >>> return [['607', 'Show license short name on the deed'], >>> ['255', '"Smart" 404 pages']] >>> #+END_SRC >>> >>> #+results: >>> | 607 | Show license short name on the deed | | | >>> | 255 | | Smart | 404 pages | >>> >>> >>> >>> _______________________________________________ >>> Emacs-orgmode mailing list >>> Please use `Reply All' to send replies to the list. >>> Emacs-orgmode@gnu.org >>> http://lists.gnu.org/mailman/listinfo/emacs-orgmode >> >> _______________________________________________ >> Emacs-orgmode mailing list >> Please use `Reply All' to send replies to the list. >> Emacs-orgmode@gnu.org >> http://lists.gnu.org/mailman/listinfo/emacs-orgmode > > _______________________________________________ > Emacs-orgmode mailing list > Please use `Reply All' to send replies to the list. > Emacs-orgmode@gnu.org > http://lists.gnu.org/mailman/listinfo/emacs-orgmode _______________________________________________ Emacs-orgmode mailing list Please use `Reply All' to send replies to the list. Emacs-orgmode@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-orgmode