Re: Compact schedule in agenda day view

[Angel de Vicente]

Hello,

Marcin Borkowski  writes:

> And you could have found it out yourself with `C-h l' (`view-lossage').
> `C-h m' (`describe-mode') and `C-h k' (`describe-key') are also useful

thanks for the tips. I had used 'view-lossage' in the past, but I had
forgotten about it... :-)

Cheers,
-- 
Ángel de Vicente
 Research Software Engineer (Supercomputing and BigData)
 Tel.: +34 922-605-747
 Web.: http://research.iac.es/proyecto/polmag/

 GPG: 0x8BDC390B69033F52
-
AVISO LEGAL: Este mensaje puede contener información confidencial y/o 
privilegiada. Si usted no es el destinatario final del mismo o lo ha recibido 
por error, por favor notifíquelo al remitente inmediatamente. Cualquier uso no 
autorizadas del contenido de este mensaje está estrictamente prohibida. Más 
información en: https://www.iac.es/es/responsabilidad-legal
DISCLAIMER: This message may contain confidential and / or privileged 
information. If you are not the final recipient or have received it in error, 
please notify the sender immediately. Any unauthorized use of the content of 
this message is strictly prohibited. More information:  
https://www.iac.es/en/disclaimer

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

[lux]

On Sat, 2023-02-18 at 11:43 +, Ihor Radchenko wrote:
> lux  writes:
> 
> > -  (shell-command (format "mv %s %s" img-out out-
> > file)
> > +  (rename-file img-out out-file
> 
> I think should be (rename-file img-out out-file t)
> 

Yes, my pachted changed it, thank you.

Re: Template for ob- packages?

[Matt]

  On Fri, 17 Feb 2023 17:32:18 -0500  Leo Butler  wrote --- 

 > Matt, thanks for sharing those notes. I would suggest that they be added
 > to worg in their current state.

Thanks for your vote of confidence.

I've attached the source, in case someone wants to do that.  Otherwise, I'll 
get to it when I can.

2021-11-03-org_babel.org
Description: Binary data

Re: [Bug] 'org-font-lock-extra-keywords' appear next to the parent heading when its subtree is folded.

[Philipp Kiefer]

Even though it can be toggled via the 'hide' variable? Okay, will do!

On 18.02.2023 11:41, Ihor Radchenko wrote:

Philipp Kiefer  writes:


Please peruse attached to reproduce another glitch that occurs with
(setq org-hide-emphasis-markers t). The screencast illustrates what
happens in the sample file. The glitch (the pointer automatically
dropping to the line below a heading rather than staying at the far
right of the heading) seems to occur only when point is on a line below
the mouse click location (the mouse is clicked in the empty space to the
right of headlines) and it does not seem to happen for headings with
children.

I can reproduce, but I do not think that it is Org's bug.
I recommend you sending this reproducer to Emacs devs (M-x
report-emacs-bug).

[PATCH] Avoid crash in `org-file-contents' in case of network failure

[Damien Cassou]

* lisp/org.el (org-file-contents): Wrap the
`url-retrieve-synchronously' call into a `condition-case' block to
avoid throwing an error when NOERROR is non-nil.

-- 
Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
>From b13b58711405afd1a065c371251ec0ada35d86dc Mon Sep 17 00:00:00 2001
From: Damien Cassou 
Date: Sat, 18 Feb 2023 12:16:48 +0100
Subject: [PATCH] Avoid crash in `org-file-contents' in case of network failure

* lisp/org.el (org-file-contents): Wrap the
`url-retrieve-synchronously' call into a `condition-case' block to
avoid throwing an error when NOERROR is non-nil.
---
 lisp/org.el | 34 +++---
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/lisp/org.el b/lisp/org.el
index cc2c09e3a..e777f21f8 100644
--- a/lisp/org.el
+++ b/lisp/org.el
@@ -4561,21 +4561,25 @@ (defun org-file-contents (file  noerror nocache)
  (cache)
  (is-url
   (if (org--should-fetch-remote-resource-p file)
-  (with-current-buffer (url-retrieve-synchronously file)
-(goto-char (point-min))
-;; Move point to after the url-retrieve header.
-(search-forward "\n\n" nil :move)
-;; Search for the success code only in the url-retrieve header.
-(if (save-excursion
-  (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror))
-;; Update the cache `org--file-cache' and return contents.
-(puthash file
- (buffer-substring-no-properties (point) (point-max))
- org--file-cache)
-  (funcall (if noerror #'message #'user-error)
-   "Unable to fetch file from %S"
-   file)
-  nil))
+  (condition-case error
+  (with-current-buffer (url-retrieve-synchronously file)
+(goto-char (point-min))
+;; Move point to after the url-retrieve header.
+(search-forward "\n\n" nil :move)
+;; Search for the success code only in the url-retrieve header.
+(if (save-excursion
+  (re-search-backward "HTTP.*\\s-+200\\s-OK" nil :noerror))
+;; Update the cache `org--file-cache' and return contents.
+(puthash file
+ (buffer-substring-no-properties (point) (point-max))
+ org--file-cache)
+  (funcall (if noerror #'message #'user-error)
+   "Unable to fetch file from %S"
+   file)
+  nil))
+(error (if noerror
+   (message "%s %S" (car error) (cdr error))
+ (signal (car error) (cdr error)
 (funcall (if noerror #'message #'user-error)
  "The remote resource %S is considered unsafe, and will not be downloaded."
  file)))
-- 
2.38.3

Re: RFC on implementation adding buttons beside headings

[pareto optimal]

I forgot the implementation:

```
(define-button-type 'org-clock-in-button
  'follow-link t
  'face 'custom-button
  'mouse-face 'custom-button-mouse
  'action (lambda (b) (org-clock-in)))

(define-button-type 'org-clock-out-button
  'follow-link t
  'face 'custom-button
  'mouse-face 'custom-button-mouse
  'action (lambda (b) (org-clock-out)))

(defun has-clock-in-button ()
  (s-contains? "Clock In" (nth 4 (org-heading-components

 (defun has-clock-out-button ()
  (s-contains? "Clock Out" (nth 4 (org-heading-components

(defun pod/add-clock-in-button-to-right-of-heading ()
  (unless (has-clock-in-button)
  (save-excursion
    (org-end-of-line)
    (let ((end-of-line-before-insert (point)))
      (insert "    Clock In")
      (let* ((button-start (+ 4 end-of-line-before-insert))
    (button-end (+ 8 button-start)))
(make-button button-start button-end :type 'org-clock-in-button))

;; (defun remove-clock-in-button ()
;; )

(defun pod/add-clock-out-button-to-right-of-heading ()
  (unless (has-clock-out-button)
  (outline-up-heading)
  ;; (remove-clock-in-button)
  (save-excursion
    (org-end-of-line)
    (let ((end-of-line-before-insert (point)))
      (insert "    Clock Out")
      (let* ((button-start (+ 4 end-of-line-before-insert))
    (button-end (+ 9 button-start)))
(make-button button-start button-end :type 'org-clock-out-button))

(add-hook 'org-after-todo-state-change-hook 
#'pod/add-clock-in-button-to-right-of-heading)

(add-hook 'org-clock-in-hook #'pod/add-clock-out-button-to-right-of-heading)

(add-hook 'org-clock-out-hook #'pod/add-clock-in-button-to-right-of-heading)
```

On Feb 18, 2023 at 10:00 AM, pareto optimal  
wrote:
Hi all!

I've recently been playing with emacs on Android and wanted an easier way to 
clock in.

My idea was to put buttons beside org headings that are TODO items. I do this 
by:

- removing clocking buttons on heading if present, then adding a clock in 
button on 'org-after-todo-state-change-hook`

- removing clocking buttons on heading if present, then adding a clock out 
button on 'org-clock-in-hook

- removing clocking buttons on heading if present, then adding a clock in 
button on 'org-clock-out-hook

Well, the removing part isn't quite implemented yet but that's the idea. 
Otherwise what I'll paste below is a working implementation.

I'm new to using buttons and emacs and I found the only way to place the button 
where I wanted was to insert some blank space after the heading. Is that 
expected and best practice or is there some other way to do it?

Would this be something useful in core org-mode? I know at least a few friends 
who've asked me "why isn't there some button I can click by headings to clock 
in" when I showed them how I use org-mode.

I also welcome any other ideas or comments.

Thank you for your time.

ParetoOptimalDev
https://www.paretooptimal.dev/

RFC on implementation adding buttons beside headings

[pareto optimal]

Hi all!

I've recently been playing with emacs on Android and wanted an easier way to 
clock in.

My idea was to put buttons beside org headings that are TODO items. I do this 
by:

- removing clocking buttons on heading if present, then adding a clock in 
button on 'org-after-todo-state-change-hook`

- removing clocking buttons on heading if present, then adding a clock out 
button on 'org-clock-in-hook

- removing clocking buttons on heading if present, then adding a clock in 
button on 'org-clock-out-hook

Well, the removing part isn't quite implemented yet but that's the idea. 
Otherwise what I'll paste below is a working implementation.

I'm new to using buttons and emacs and I found the only way to place the button 
where I wanted was to insert some blank space after the heading. Is that 
expected and best practice or is there some other way to do it?

Would this be something useful in core org-mode? I know at least a few friends 
who've asked me "why isn't there some button I can click by headings to clock 
in" when I showed them how I use org-mode.

I also welcome any other ideas or comments.

Thank you for your time.

ParetoOptimalDev
https://www.paretooptimal.dev/

Re: How to export org-agenda to ICS to show in iCal

[Max Nikulin]

On 17/02/2023 17:29, Ihor Radchenko wrote:

Alexei Gilev writes:


For months I have been wanting to be able to export my scheduled tasks to
ICS to be able to see it it iCal, which is very visually pleasing and
easier for me to grasp my agenda. Plus, I can see it in the context of my
work tasks, which i don't have in orgmode.


In agenda buffer, M-x write-file  file-name.ics 


Shouldn't it be `org-agenda-write', not `write-file'?

(info "(org) Exporting Agenda Views")
https://orgmode.org/manual/Exporting-Agenda-Views.html

See also

(info "(org) iCalendar Export")
https://orgmode.org/manual/iCalendar-Export.html

Re: [BUG] org-id-get-create creating property drawers after SCHEDULE and DEADLINE keywords [9.6 (release_9.6-3-ga4d38e @ /nix/store/zr2g5z2hbqxa93ndfkx6n0v489al6lfq-emacs-git-20221206.0/share/emacs/30

[Ihor Radchenko]

Alejandro Gallo  writes:

> When you have a headline with a schedule, i.e.
>
> * Hello
> SCHEDULED: <2023-02-18 Sat>
>
> and you run (org-id-get-create) then the PROPERTIES drawer gets added
> AFTER the SCHEDULED keyword.

Sure. Just as it supposed to. See 7.1 Property Syntax section of the manual.

> This renders other third-party packages
> such as https://github.com/dengste/org-caldav/issues/212 partially useless.

Which is org-caldav's problem not recognizing Org syntax.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at 

Re: Bug: code block not evaluated during export when placed in SETUPFILE [9.4 (9.4-elpa @ /home/bruno/.emacs.d/elpa/org-9.4/)]

[Bruno BEAUFILS]

On Sat, Feb 18, 2023 at 10:32:38AM +, Ihor Radchenko wrote:
> I tried to clarify the manual section in the attached patch.

Thank's for your work.


-- 
Bruno BEAUFILS
Trésorier de la Societé Informatique de France


signature.asc
Description: PGP signature

[BUG] org-id-get-create creating property drawers after SCHEDULE and DEADLINE keywords [9.6 (release_9.6-3-ga4d38e @ /nix/store/zr2g5z2hbqxa93ndfkx6n0v489al6lfq-emacs-git-20221206.0/share/emacs/30.0.5

[Alejandro Gallo]

When you have a headline with a schedule, i.e.

* Hello
SCHEDULED: <2023-02-18 Sat>

and you run (org-id-get-create) then the PROPERTIES drawer gets added
AFTER the SCHEDULED keyword. This renders other third-party packages
such as https://github.com/dengste/org-caldav/issues/212 partially useless.


Emacs  : GNU Emacs 30.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version
3.24.34, cairo version 1.16.0)
Package: Org mode version 9.6 (release_9.6-3-ga4d38e @
/nix/store/zr2g5z2hbqxa93ndfkx6n0v489al6lfq-emacs-git-20221206.0/share/emacs/30.0.50/lisp/org/)

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

[Ihor Radchenko]

lux  writes:

> -  (shell-command (format "mv %s %s" img-out out-file)
> +  (rename-file img-out out-file

I think should be (rename-file img-out out-file t)

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at 

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

[lux]

On Sat, 2023-02-18 at 18:15 +0700, Max Nikulin wrote:
> On 18/02/2023 17:08, lux wrote:
> > -  (shell-command (format "mv %s %s" img-out out-
> > file)
> > +  (shell-command (format "mv %s %s" (shell-quote-
> > argument img-out) (shell-quote-argument out-file))
> 
> Thank you for the patch. Certainly it is an improvement.
> 
> Is there any reason why `rename-file' should be avoided here? I just 
> have discovered this function, so I am unaware of possible pitfalls.
> 
> (info "(elisp) Changing-Files")
> https://www.gnu.org/software/emacs/manual/html_node/elisp/Changing-Files.html#index-rename_002dfile

I think using `rename-file' is good idea. We should use the Emacs
built-in functions as much as possible instead of external shell
commands, becueas these more security.
From adc0c558b1b091bb4bef77901633f31344b7391a Mon Sep 17 00:00:00 2001
From: Xi Lu 
Date: Sat, 18 Feb 2023 18:03:28 +0800
Subject: [PATCH] * lisp/ob-latex.el (org-babel-execute:latex): Fix command
 injection vulnerability.

---
 lisp/ob-latex.el | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el
index 428907a27..0d0a37a02 100644
--- a/lisp/ob-latex.el
+++ b/lisp/ob-latex.el
@@ -180,7 +180,7 @@ This function is called by `org-babel-execute-src-block'."
 	 tmp-pdf
  (list org-babel-latex-pdf-svg-process)
  extension err-msg log-buf)))
-  (shell-command (format "mv %s %s" img-out out-file)
+  (rename-file img-out out-file
  ((string-suffix-p ".tikz" out-file)
 	  (when (file-exists-p out-file) (delete-file out-file))
 	  (with-temp-file out-file
-- 
2.30.2

Re: [PATCH] Fix ob-latex.el command injection vulnerability.

[Max Nikulin]

On 18/02/2023 17:08, lux wrote:

-  (shell-command (format "mv %s %s" img-out out-file)
+  (shell-command (format "mv %s %s" (shell-quote-argument img-out) 
(shell-quote-argument out-file))


Thank you for the patch. Certainly it is an improvement.

Is there any reason why `rename-file' should be avoided here? I just 
have discovered this function, so I am unaware of possible pitfalls.


(info "(elisp) Changing-Files")
https://www.gnu.org/software/emacs/manual/html_node/elisp/Changing-Files.html#index-rename_002dfile

[FR] ox-latex: Display exit status of LaTeX compilation command (was: Bug: org-latex-export-to-pdf does not remove .tex file [9.4 (9.4-elpa @ /home/bruno/.emacs.d/elpa/org-9.4/)])

[Ihor Radchenko]

Bruno BEAUFILS  writes:

> On Fri, Feb 17, 2023 at 01:30:37PM +, Ihor Radchenko wrote:
>> Even if we used exit code, what would it achieve?
>
> Knowing if the compilation went well (0 as exit status) or not
> (anything different than 0).

I would not mind.
Patches welcome!

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at 

Re: [PATCH] [FR] Fontifying src-blocks with no language specified

[Ihor Radchenko]

cars...@kragelund.me writes:

>> I do not see much problem adding this.
>> See the attached patch.
>
> Hey, this patch works great, minor issue, I believe
> the line (add-to-list 'org-src-block-faces '(("" highlight))
> in ORG-NEWS has an extra opening parenthesis and should
> be (add-to-list 'org-src-block-faces '("" highlight))

Indeed.
Attaching an updated version of the patch.

>From 392a075bb2a75fe16e275745c80d83e7c13fc91d Mon Sep 17 00:00:00 2001
Message-Id: <392a075bb2a75fe16e275745c80d83e7c13fc91d.1676717280.git.yanta...@posteo.net>
From: Ihor Radchenko 
Date: Fri, 17 Feb 2023 15:17:04 +0300
Subject: [PATCH v2] org-fontify-meta-lines-and-blocks-1: Fontify src blocks
 without lang

* lisp/org.el (org-fontify-meta-lines-and-blocks-1): Allow fontifying
src blocks with language specification missing.
* lisp/org-src.el (org-src-block-faces): Clarify in the docstring that
"" language name referes to src blocks with no language.  Remove
redundant :version tag.
* etc/ORG-NEWS (~org-src-block-faces~ now accepts empty string ~""~ as
language name): Announce the change.

Link: https://orgmode.org/list/99388ff3711696091f0312a5c3f0b...@kragelund.me
---
 etc/ORG-NEWS| 15 +++
 lisp/org-src.el |  4 ++--
 lisp/org.el |  4 ++--
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/etc/ORG-NEWS b/etc/ORG-NEWS
index 87ecd77cd..90663ab5a 100644
--- a/etc/ORG-NEWS
+++ b/etc/ORG-NEWS
@@ -24,6 +24,21 @@ consider [[https://gitlab.com/jackkamm/ob-python-mode-mode][ob-python-mode-mode]
 has been ported to.
 
 ** New and changed options
+*** ~org-src-block-faces~ now accepts empty string ~""~ as language name
+
+It is now possible to customize face of source blocks without language specifier.
+
+: #+begin_src
+: Source block with no language
+: #+end_src
+
+For example, to set ~highlight~ face, use
+
+#+begin_src emacs-lisp
+(setq org-src-fontify-natively t)
+(add-to-list 'org-src-block-faces '("" highlight))
+#+end_src
+
 *** New escape in ~org-beamer-environments-extra~ for labels in Beamer export
 The escape =%l= in ~org-beamer-environments-extra~ inserts the label
 obtained from ~org-beamer--get-label~.  This is added to the default
diff --git a/lisp/org-src.el b/lisp/org-src.el
index 9e4392811..2fab4020d 100644
--- a/lisp/org-src.el
+++ b/lisp/org-src.el
@@ -233,7 +233,8 @@ (defcustom org-src-block-faces nil
 
  (\"language\" FACE)
 
-Where FACE is either a defined face or an anonymous face.
+Where FACE is either a defined face or an anonymous face.  Empty
+language string refers to source blocks without specified language.
 
 For instance, the following would color the background of
 emacs-lisp source blocks and python source blocks in purple and
@@ -247,7 +248,6 @@ (defcustom org-src-block-faces nil
(choice
 (face :tag "Face")
 (sexp :tag "Anonymous face"
-  :version "26.1"
   :package-version '(Org . "9.0"))
 
 (defcustom org-src-tab-acts-natively t
diff --git a/lisp/org.el b/lisp/org.el
index cc2c09e3a..d148a14bb 100644
--- a/lisp/org.el
+++ b/lisp/org.el
@@ -5409,9 +5409,9 @@ (defun org-fontify-meta-lines-and-blocks-1 (limit)
 	(org-remove-flyspell-overlays-in beg bol-after-beginline)
 	(org-remove-flyspell-overlays-in nl-before-endline end-of-endline)
 	(cond
-	 ((and lang (not (string= lang "")) org-src-fontify-natively)
+	 (org-src-fontify-natively
 	  (save-match-data
-(org-src-font-lock-fontify-block lang block-start block-end))
+(org-src-font-lock-fontify-block (or lang "") block-start block-end))
 	  (add-text-properties bol-after-beginline block-end '(src-block t)))
 	 (quoting
 	  (add-text-properties
-- 
2.39.1


-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at 

Re: [Bug] 'org-font-lock-extra-keywords' appear next to the parent heading when its subtree is folded.

[Ihor Radchenko]

Philipp Kiefer  writes:

> Please peruse attached to reproduce another glitch that occurs with 
> (setq org-hide-emphasis-markers t). The screencast illustrates what 
> happens in the sample file. The glitch (the pointer automatically 
> dropping to the line below a heading rather than staying at the far 
> right of the heading) seems to occur only when point is on a line below 
> the mouse click location (the mouse is clicked in the empty space to the 
> right of headlines) and it does not seem to happen for headings with 
> children.

I can reproduce, but I do not think that it is Org's bug.
I recommend you sending this reproducer to Emacs devs (M-x
report-emacs-bug).

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at 

Re: Bug: code block not evaluated during export when placed in SETUPFILE [9.4 (9.4-elpa @ /home/bruno/.emacs.d/elpa/org-9.4/)]

[Ihor Radchenko]

Bruno BEAUFILS  writes:

> In the org manual the following lines can be read about #+SETUPFILE:
> (emphaze is mine):
>
> » Org also parses and loads the document during normal exporting process.
> » Org parses the contents of this document **as if it was included** in the
> » buffer.  It can be **another Org file**.

#+SETUPFILE is only parsed for export settings. It is not actually
 included. I admit that the wording may be confusing.

To actually include the document, use #+INCLUDE.

I tried to clarify the manual section in the attached patch.
>From 64cc230e39378d7c1fee4954f415358ae8055c4f Mon Sep 17 00:00:00 2001
Message-Id: <64cc230e39378d7c1fee4954f415358ae8055c4f.1676716311.git.yanta...@posteo.net>
From: Ihor Radchenko 
Date: Sat, 18 Feb 2023 13:30:39 +0300
Subject: [PATCH] org-manual.org: Clarify what SETUPFILE does

* doc/org-manual.org (Summary of In-Buffer Settings): Clarify that
only in-buffer settings are considered in SETUPFILE.  Other contents
is ignored.  Split the explanation into multiple paragraphs.

Reported-by: Bruno BEAUFILS 
Link: https://orgmode.org/list/20230216235224.7g5xdlkcnw2z4k3n@settat
---
 doc/org-manual.org | 19 +++
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/doc/org-manual.org b/doc/org-manual.org
index 5b6633417..60c062921 100644
--- a/doc/org-manual.org
+++ b/doc/org-manual.org
@@ -19922,15 +19922,18 @@ ** Summary of In-Buffer Settings
   #+cindex: @samp{SETUPFILE}, keyword
   The setup file or a URL pointing to such file is for additional
   in-buffer settings.  Org loads this file and parses it for any
-  settings in it only when Org opens the main file.  If URL is
+  settings in it when Org opens the main file.  If URL is
   specified, the contents are downloaded and stored in a temporary
-  file cache.  {{{kbd(C-c C-c)}}} on the settings line parses and
-  loads the file, and also resets the temporary file cache.  Org also
-  parses and loads the document during normal exporting process.  Org
-  parses the contents of this document as if it was included in the
-  buffer.  It can be another Org file.  To visit the file---not
-  a URL---use {{{kbd(C-c ')}}} while point is on the line with the
-  file name.
+  file cache.  {{{kbd(C-c C-c)}}} on the settings line re-parses and
+  re-loads the file, and also resets the temporary file cache.
+
+  Org also parses and loads /in-buffer settings/ from the setup file
+  during normal exporting process.  Org parses the /in-buffer
+  settings/ as if it was included in the containing Org buffer.  The
+  rest of the contents of setup file is ignored.
+
+  To visit the setup file---not a URL---use {{{kbd(C-c ')}}} while point
+  is on the line with the setup file name.
 
 - =#+STARTUP:= ::
 
-- 
2.39.1



-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at 

[PATCH] Fix ob-latex.el command injection vulnerability.

[lux]

Test environment:
- Emacs 29.0.60
- Orgmode 9.6.1
- TeX Live 2020

Preconditions:

(org-babel-do-load-languages
 'org-babel-load-languages
 '((latex . t)))

The vulnerability occurs in the file ob-latex.el, in the `org-babel-
execute:latex' function, if then file's extension is .svg, using
`shell-command' function to call the `mv' shell command:

  ((string= "svg" extension)
   ...
   (let ((tmp-pdf (org-babel-latex-tex-to-pdf tex-file)))
 (let* (...
(img-out (org-compile-file
  tmp-pdf
  (list org-babel-latex-pdf-svg-process)
  extension err-msg log-buf)))
   (shell-command (format "mv %s %s" img-out out-file)

But the parameter `img-out' and parameter `out-file' are not escape.
So, if file name or directory name contains shell characters and will
be executed.

Example for the vul_test.org file:

  #+name: vul_test
  #+header: :file test;uname -a;.svg
  #+begin_src latex
  \LaTeX
  #+end_src

Using Emacs open it, and press 'C-c C-e l p' export to a pdf file, or
point to begin_src block and press 'C-c C-c' to execute block.

In the '*Message*' buffer, you can see the 'uname -a' command output:

  Executing Latex code block (vul_test)...
  Processing LaTeX file /tmp/babel-UCtwdU/latex-zWDsHS.tex...
  PDF file produced.

  ,** (org.inkscape.Inkscape:145910): WARNING **: 17:27:24.285: Fonts
dir '/usr/share/inkscape/fonts' does not exist and will be ignored.
  Linux lx-debian 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21)
x86_64 GNU/Linux  < This is 'uname -a' output
  zsh:1: command not found: .svg
  Code block produced no output (took 1.1s).

This patch fixed it.
From 422ffedc32c31fef39d943612d7e738cf4ad5e23 Mon Sep 17 00:00:00 2001
From: Xi Lu 
Date: Sat, 18 Feb 2023 18:03:28 +0800
Subject: [PATCH] * lisp/ob-latex.el (org-babel-execute:latex): Fix command
 injection vulnerability.

---
 lisp/ob-latex.el | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/ob-latex.el b/lisp/ob-latex.el
index 428907a27..c32e7ea4c 100644
--- a/lisp/ob-latex.el
+++ b/lisp/ob-latex.el
@@ -180,7 +180,7 @@ This function is called by `org-babel-execute-src-block'."
 	 tmp-pdf
  (list org-babel-latex-pdf-svg-process)
  extension err-msg log-buf)))
-  (shell-command (format "mv %s %s" img-out out-file)
+  (shell-command (format "mv %s %s" (shell-quote-argument img-out) (shell-quote-argument out-file))
  ((string-suffix-p ".tikz" out-file)
 	  (when (file-exists-p out-file) (delete-file out-file))
 	  (with-temp-file out-file
-- 
2.30.2

[BUG] FAQ asnwer for "How can I use arbitrary colors for words/sentences in HTML export?" is outdated

[Ihor Radchenko]

Hi,

In https://orgmode.org/worg/org-faq.html#org60202b9, the answer uses
obsolete function `org-add-link-type'. We should change it to
`org-link-set-parameters'.

-- 
Ihor Radchenko // yantar92,
Org mode contributor,
Learn more about Org mode at .
Support Org development at ,
or support my work at