hraban
Trying to execute code by default, non-standard and dangerous
Trying to run this to generate documentation from the following file https://github.com/GrammaTech/gtirb/blob/master/README.md fails because cl-markdown mistakes the C++ code in that file as built in commands, and tries to run them. IMO it is dangerous to have non-standard code execution turned on by default like this.
To make matters somewhat worse, I'm unable to turn the execution off. From looking at the docs I could find, it seems that setting the following two variables to nil should remove any of these extra extensions *parse-active-functions* *render-active-functions*, however this has no effect. Is it possible to turn off this surprising (to me) command execution in cl-markdown's markdown function?
Thanks!
Note: otherwise this package looks great and I'd be thrilled to use it.
Hi all I recently took over maintenance of this code and after a quick perusal of the code, I believe that this isn't full code execution, but only allows explicitly whitelisted functions. That being said I agree that it's counter intuitive, and should probably be opt-in rather than opt-out. Even in the face of backwards incompatibility, I'm open to making that change.
But one way or another, at least afai can tell, this isn't a security bug, but rather a usability issue (unexpected parsing of curly braces).
It's on the radar, but low prio, unless I'm mistaking about the security aspect.
Thanks for reporting!
For more info btw see the user guide https://cl-markdown.common-lisp.dev/user-guide.html section on "function calls", and NB
functions active during these stages are keep in the special variables
*render-active-functions*and*parse-active-functions*.
Which corresponds to the code, iow this is on a whitelist basis. I think.