Hi,
Thanks for raising this issue up. While I don't consider it a security
issue (code blocks are already executing arbitrary code on your system),
it is certainly a failure in the parsing of input from scripting
languages (actually any language which has single-quote delimited
strings).
I just
Strings with quotes in them aren't having the inner quotes escaped right
while read by ob-python in python. Example:
#+BEGIN_SRC python
return [['607', 'Show license short name on the deed'],
['255', 'Smart 404 pages']]
#+END_SRC
#+results:
| 607 | Show license short name on the deed |
It looks like \' and are not being escaped in
org-babel-python-table-or-string, which is the problem.
Christopher Allan Webber cweb...@dustycloud.org writes:
Strings with quotes in them aren't having the inner quotes escaped right
while read by ob-python in python. Example:
#+BEGIN_SRC
I worry about this a bit because of the possible security issue: the
ability to execute arbitrary code, since the structure that gets
constructed is eval'ed.
eg:
#+BEGIN_SRC python
return [['607', 'Show license short name on the deed'],
['255', '))(message (concat 'hello ' 'world]]