org-link-expand-abbrev: Do not evaluate arbitrary unsafe Elisp code
c645e1d8205f0f0663ec4a2d27575b238c646c7c
Ihor Radchenko
Sat Jun 22 00:54:36 2024 +0200
[ km: This was independently covered on the bugfix branch with
f4cc61636. I'm applying it here too for bookkeeping/traceability
purposes. ]
* lisp/ob-shell.el (org-babel-sh-evaluate): When running src block as
script file, make sure that shebang is always added on top. This is
to prevent <shell> <script> command in shells like dash form using
/bin/sh to evaluate scripts without shebang. (In contrast with bash
that uses itself). Add comment highlighting that
`with-connetion-local-variables' sets `shell-file-name' and
`shell-command-switch' as necessary.
*
testing/lisp/test-ob-shell.el (test-ob-shell/remote-with-stdin-or-cmdline):
Add new test.
Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://list.orgmode.org/orgmode/v0an63$3n2$1@ciao.gmane.io/
* lisp/ob-shell.el (org-babel-sh-evaluate): When invoking script file
generated from the code block, consistently use
<shell-name> -c <script-file> <cmdline-args> command line, even when
:shebang is header argument is provided. The previous approach with
<script-file> <cmdline-args> call caused differences in how shell
parsed the provided command line arguments.
* testing/lisp/test-ob-shell.el (test-ob-shell/cmdline): New test.
Reported-by: Max Nikulin <manikulin@gmail.com>
Link: https://orgmode.org/list/18f01342a2f.124ad27612732529.8693431365849276517@excalamus.com
* lisp/org-persist.el (org-persist--normalize-associated): Force
'emacs-internal coding system when computing buffer contents hash.
Reported-by: Eli Zaretskii <eliz@gnu.org>
Link: https://orgmode.org/list/86jzia68ih.fsf@gnu.org
* lisp/ob-sqlite.el (org-babel-header-args:sqlite):
(org-babel-execute:sqlite): Add new header argument :readonly.
* etc/ORG-NEWS (ob-sqlite: Added ability to open a database in
readonly mode): Announce the new header argument.
* lisp/ol.el (org-link-expand-abbrev): Refuse expanding %(...) link
abbrevs that specify unsafe function. Instead, display a warning, and
do not expand the abbrev. Clear all the text properties from the
returned link, to avoid any potential vulnerabilities caused by
properties that may contain arbitrary Elisp.
* lisp/Makefile (.NOTPARALLEL):
* mk/targets.mk (.NOTPARALLEL): Do not fiddle with explicit
.NOTPARALLEL. Given that we provide correct dependencies, parallel
execution should work, and it does work.
* lisp/org-refile.el (org-refile-get-location): When current buffer
file is a symlink to refile location, do not append the file name to
the outline path, just as we do when current buffer is the same as
refile location file.
TINYCHANGE
* lisp/org-element.el (org-element--timestamp-regexp): Do not match
malformed timestamps like:
<202-07-10 .+1d>
`org-ts-regexp-both' already covers the removed part of the regexp.
It appears that the problematic regexp is coming from a copy-paste from
`org-agenda-get-timestamps' where the inaccurate regexp is used to
search timestamps with repeaters in conjunction to searching for exact
agenda dates. In `org-agenda-get-timestamps', inaccuracy is not a
problem because proper matching against `org-ts-regexp-both' is
performed later, simply skipping non-timestamps.
Reported-by: Platon Pronko <platon7pronko@gmail.com>
Link: https://orgmode.org/list/6000e3bf-f95f-44fd-b321-cf44acd5c485@gmail.com
* lisp/oc-csl.el (org-cite-csl-bibtex-titles-to-sentence-case): New
variable.
(org-cite-csl--processor): Create the itemgetter using the new option.
* etc/ORG-NEWS (New option
~org-cite-csl-bibtex-titles-to-sentence-case~): Announce the change.
* org-plot.el (org-plot/gnuplot-script-preamble)
(org-plot/gnuplot-term-extra): Explain what "plot type" means.
(org-plot/preset-plot-types): Fix docstring and correct the lambda
argument order for the 'grid' plot type.
(org-plot/gnuplot): Merge the parameters given in
`org-plot/preset-plot-types' and the #+PLOT line to ensure the former
is respected everywhere.
Reported-by: Visuwesh <visuweshm@gmail.com>
Link: https://orgmode.org/list/87cypbjw50.fsf@gmail.com
* lisp/ob-shell.el (org-babel-shell-initiate-session): Define an an
alias to `org-babel-sh-initiate-session' for #+begin-src shell blocks.
Reported-by: Suhail Singh <suhailsingh247@gmail.com>
Link: https://orgmode.org/list/87tthrv2wt.fsf@gmail.com
* doc/org-manual.org: Add target spec format for function and symbol
for headline and olp.
* etc/ORG-NEWS: Announce the updated options for
`org-capture-templates'.
* lisp/org-capture.el (org-capture-templates): Update customization
type for `file+headline', `file+olp', and `file+olp+datetree' targets,
and update docstring.
(org-capture-expand-headline): Define a new function that computes
headline string from target spec.
(org-capture-expand-olp): Define a new function that computes olp list
from target spec.
(org-capture-set-target-location): Use `org-capture-expand-headline'
to expand headline, and use `org-capture-expand-olp' to expand outline
path.
* testing/lisp/test-org-capture.el (test-org-capture/entry): Add tests
for at most three different kinds of target for `file+headline',
`file+olp', and `file+olp+datetree'.
(test-org-capture/org-capture-expand-olp): Add tests for
`org-capture-expand-olp'.
* lisp/org-plot.el (org-plot/gnuplot): Use a stable data-file to make
replot-on-resize in GUI terminals work.
Reported-by: Visuwesh <visuweshm@gmail.com>
Link: https://orgmode.org/list/87mso7sl6g.fsf@gmail.com
* lisp/ob-shell.el (org-babel-shell-initialize): Define
org-babel-prep-session:<shell-name> and
org-babel-<shell-name>-initiate-session functions.
Without this, `org-babel-switch-to-session' does not work for ob-shell
blocks.
* lisp/ob-shell.el (org-babel-shell-initialize): Assign default value
from `org-babel-default-header-args:shell' and
`org-babel-header-args:shell' for specific shell variables.
Reported-by: Suhail Singh <suhailsingh247@gmail.com>
Link: https://orgmode.org/list/87frtczgu6.fsf@gmail.com
* lisp/org-list.el (org-update-checkbox-count): Do not move point
before current heading when point is already on heading.
Reported-by: Bruno Cardoso <cardoso.bc@gmail.com>
Link: https://orgmode.org/list/878qz49an7.fsf@gmail.com
* lisp/org-compat.el (org-imenu-get-tree): Add the current headline to
the tree as a simple item even if it isn't a leaf.
With a file like this:
* headline 1
** headline 2
We currently produce an imenu tree that looks like this:
'(("headline 1" ("headline 2" . marker-2)))
imenu has no clue where "headline 1" is located and thus the user
can't navigate to it. With this patch installed imenu knows where
non-leaf headlines are as the tree will now look like this:
'(("headline 1" . marker-1)
("headline 1" ("headline 2" . marker-2)))
Quirks:
With the default `imenu-flatten' value of nil, it is still impossible
to visit non-leaf headlines and no change is perceived.
Setting `imenu-flatten' to 'group works as expected with the quirk
that top level headlines don't end up in the group.
Ex:
* Headline 1
Group is "*"
Setting the group to "Headline 1" somehow might be nice but would
require upstream changes in imenu.
** Headline 2
Group is "Headline 1"
*** Headline 3
Group is "Headline 1:Headline 2"
Everything seems to work as expected when `imenu-flatten' is set to
'prefix or 'annotation.
Link: https://orgmode.org/list/CH3PR84MB34241FF78D2A1D8653FE6056C5C22@CH3PR84MB3424.NAMPRD84.PROD.OUTLOOK.COM
* lisp/ob-clojure.el (ob-clojure-cli-command): Allow nil value. It
can happen, even though it will yield error (which is a different
issue). But let's follow other defcustoms in the file.
Reported-by: Mattias Engdegård <mattias.engdegard@gmail.com>
Link: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71566
Stefan Kangas
Ihor Radchenko
Daniel M German
Matthias Hetzenberger
Al Haji-Ali
Andras Simonyi
Morgan Smith
Visuwesh
Raffael Stocker
Nafiz Islam
Kyle Meyer
Stefan Monnier