On 27/12/2021 03:18, Nikolay Kudryavtsev wrote:
Ob-maxima currently does not work on Windows due to it using single
quotes in the Maxima invocation and those not being supported by Windows
CMD.
After some testing I've found an invocation that seems to work fine on
both Windows and Linux. I don't think this patch can cause any real
issue, since the string in those quotes is just the temp file path.
--- a/lisp/ob-maxima.el
+++ b/lisp/ob-maxima.el
@@ -77,7 +77,7 @@ This function is called by `org-babel-execute-src-block'."
(result
(let* ((cmdline (or (cdr (assq :cmdline params)) ""))
(in-file (org-babel-temp-file "maxima-" ".max"))
- (cmd (format "%s --very-quiet -r 'batchload(%S)$' %s"
+ (cmd (format "%s --very-quiet -r \"batchload(\\\"%S\\\")\"$ %s"
org-babel-maxima-command in-file cmdline)))
I do not like original variant, but suggested change makes it unsafe in
more cases. `in-file' might contain apostrophe in the case of peculiar
path of the directory for temporary files. More characters may be
interpreted by BASH inside double quotes. Even docstring for
`shell-quote-argument' mentions security issues with the function.
Ideally command arguments should be passed as a list to avoid
intermediate interpretation by shell at all. Unfortunately gluing
strings to make a shell command is used too widely in org code and emacs
API encourages such unsafe way.
