minted icon indicating copy to clipboard operation
minted copied to clipboard

Published 20 hours ago verified publisher icon gpoore

Shell commands get executed in ```\inputminted``` filename

Open Skipp1 opened this issue 1 year ago • 2 comments

As the title suggests shell commands can get executed in the filename argument of the \inputminted command.

\documentclass[10pt, a4paper]{article}
\usepackage[utf8]{inputenc}
\usepackage{minted}

\begin{document}
	\inputminted{text}{file.txt; touch file2.txt}
\end{document}

Here this example will load file.txt for inclusion in minted, but will also create a new file: file2.txt.

Thanks -- Skipp1

Skipp1 avatar Jul 20 '22 14:07 Skipp1

I see two sub-problems in \inputminted{<lang>}{<filename>}:

  • When there's no file named <filename>. A simple \IfFileExists{<filename>}{<true>}{<false>} should work.
  • When <filename> does exists, but might be wrongly treated by minted or pygmentize. For example, touch "file.txt; touch file2.txt" will create an illy-named file file.txt;␣touch␣file2.txt. Then minted should wrap the <filename> in quotes when passing it to pygmentize.

Limitation: Both \IfFileExists and the simple quoting can't handle filenames with quotation mark(s), for example file "quotes".txt created by touch '"quotes".txt'.

diff --git a/source/minted.dtx b/source/minted.dtx
index 7a381d7..2a123a5 100644
--- a/source/minted.dtx
+++ b/source/minted.dtx
@@ -2994,7 +2994,7 @@
         \detokenize{for /f "usebackq tokens=*"}\space\@percentchar\detokenize{a in (`kpsewhich}\space\minted@codefile\detokenize{`) do}\space
       \fi
     \fi
-    \MintedPygmentize\space -l #2
+    \MintedPygmentize\space -l "#2"
     -f latex -P commandprefix=PYG -F tokenmerge
     \minted@optlistcl@g \csname minted@optlistcl@lang\minted@lang\endcsname
     \minted@optlistcl@inlines
@@ -3425,7 +3425,9 @@
     \minted@configlang{#2}%
     \setkeys{minted@opt@cmd}{#1}%
     \minted@fvset
-    \minted@pygmentize[#3]{#2}%
+    \IfFileExists{#2}
+      {\minted@pygmentize[#3]{#2}}
+      {\PackageError{minted}{No file `\detokenize{#3}'}{}}%
     \endgroup}}
 %    \end{macrocode}
 % \end{macro}

muzimuzhi avatar Jul 22 '22 02:07 muzimuzhi

Using \ShellEsc to run pygmentize has always been somewhat fragile, and this is just the latest example of shell escaping and sanitization issues. The proper fix for this is probably to write all Pygments settings and the file name (or the code for minted environment/\mintinline) to a temp file, and create a Python wrapper for Pygments (say minted.py) that is run with \ShellEsc and actually does the processing. This way, \ShellEsc only ever is used with fixed arguments (say minted pyg.temp). And then all option processing and path handling can be done in a language with proper built-in support for such things. Otherwise we're left trying to do cross-platform shell command escaping in TeX. I've been wanting to do something like this as minted v3.0 for several years, but my time is limited and I very rarely use minted myself.

gpoore avatar Jul 22 '22 03:07 gpoore