Re: [PATCH] make org-notify support for macOS desktop notification

[stardiviner]

I updated the patch, I found the package `osx-lib` contains solution. So I 
removed the directly osascript process invocation.

0001-org-clock.el-Make-org-notify-support-macOS-notificat.patch
Description: Binary data

> On Jul 4, 2021, at 1:48 PM, Maxim Nikulin <manikulin@gmail.com> wrote:
> 
> On 04/07/2021 07:23, stardiviner wrote:
>> I found `org-notify` does not support macOS desktop notification. So I write 
>> a small patch for this.
> 
> I am surprised that there is no OS-agnostic function in Emacs that sends 
> simple notification, suitable when no advanced feature are necessary. Only 
> OS-dependent variants are implemented for Linux and Windows.
> 
>> +                        (format "'display notification \"%s\" with title 
>> \"title\"'" notification "Org mode message")))
> 
> Unsafe substitution of the argument. There is no guarantee that notification 
> has no quote characters. I do not know, which link you would prefer:
> - old https://xkcd.com/327/ "Robert'); DROP TABLE"
> - recent 
> https://arstechnica.com/gadgets/2021/06/mass-data-wipe-in-my-book-devices-prompts-warning-from-western-digital/
>  Wipe data from NAS (accordingly to some sources, device can be protected by 
> firewall, it is enough to open in a browser a page with a malicious <img 
> src="..."> element, e.g. in a comment of an earlier visitor)
> 
> The preferred way is to pass such parameters as separate arguments of 
> `start-process'. I am not familiar with osascript, I hope, it does not 
> additionally interpret strings passed to "display notification" to do 
> something fancy things. Example with sh:
> 
> Current unsafe variant:
> 
>>   sh -c "`printf 'echo "%s: %s - %s"' 'some-command' '"; echo another action 
>> ; echo "' 'second arg'
> With parameters passed as separate arguments to avoid interpretation of 
> special characters:
> 
>>   sh -c 'echo "$0: $1 - $2"' 'some-command' '"; echo another action ; echo 
>> "' 'second arg'
> 
>