From a8006ea580ed74f27f974d60b598143b04ad1741 Mon Sep 17 00:00:00 2001

From: Xi Lu <lx@shellcodes.org>

Date: Sat, 11 Mar 2023 18:53:37 +0800

Subject: * lisp/org/ob-latex.el: Fix command injection vulnerability

(org-babel-execute:latex):

Replaced the `(shell-command "mv BAR NEWBAR")' with `rename-file'.

TINYCHANGE

---

 lisp/org/ob-latex.el | 13 +++++--------

 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/lisp/org/ob-latex.el b/lisp/org/ob-latex.el

index a2c24b3..ce39628 100644

--- a/lisp/org/ob-latex.el

+++ b/lisp/org/ob-latex.el

@@ -218,17 +218,14 @@ This function is called by `org-babel-execute-src-block'."

 	    (if (string-suffix-p ".svg" out-file)

 		(progn

 		  (shell-command "pwd")

-		  (shell-command (format "mv %s %s"

-					 (concat (file-name-sans-extension tex-file) "-1.svg")

-					 out-file)))

+                  (rename-file (concat (file-name-sans-extension tex-file) "-1.svg")

+                               out-file t))

 	      (error "SVG file produced but HTML file requested")))

 	   ((file-exists-p (concat (file-name-sans-extension tex-file) ".html"))

 	    (if (string-suffix-p ".html" out-file)

-		(shell-command "mv %s %s"

-			       (concat (file-name-sans-extension tex-file)

-				       ".html")

-			       out-file)

-	      (error "HTML file produced but SVG file requested")))))

+                (rename-file (concat (file-name-sans-extension tex-file) ".html")

+                             out-file t)

+              (error "HTML file produced but SVG file requested")))))

 	 ((or (string= "pdf" extension) imagemagick)

 	  (with-temp-file tex-file

 	    (require 'ox-latex)

-- 

cgit v1.1