Max Nikulin <manikulin@gmail.com> writes:

> ---- 8< ----
> #+begin_src elisp :results none
>    (require 'ob-sqlite)
> #+end_src
>
> #+begin_src sqlite :db /tmp/ob.sqlite$(date >/tmp/ob-sqlite-vuln.log)
>    select 1
> #+end_src
> ---- >8 ----
>
> Executing of the sqlite code block causes creation of the 
> /tmp/ob-sqlite-vuln.log file.
>
> The cause is usage of `org-fill-template' without `shell-quote-argument'.

Confirmed.

This is clearly very common.
What do you think about creating a new API to built shell commands and
then using it across all the babel backends?

See the attached tentative diff.