Try the following in the latest Rstudio notebook, for example on Linux
```{r}
eng_fake <- function(options) {
out=system(sprintf('ls %s', '/tmp'), intern=TRUE)
knitr::engine_output(options, options$code, out)
}
knitr::knit_engines$set(fake=eng_fake)
```
```{r engine='fake'}
to be ignored
```
Instead of doing a ls /tmp, the second chunk gives an error as the function name attempts to be executed:
/bin/sh: 1: fake: not found
That happens even if the source of render.R shows on knitr/blob/master/R/engine.R a test for whether the engine name is a function around line 606:
get_engine = function(name) {
fun = knit_engines$get(name)
if (is.function(fun)) return(fun)
....
This could also lead to malicious code execution: while what is inside system() may get checked more carefully, the name of a function seems more innocent.
Other issues related to creating custom engine for use in notebook seem to be present: the examples given on http://datadrivensecurity.info/blog/posts/2015/Jun/running-other-languages-in-r-markdown-files/ can't be reproduced in Rstudio IDE
There seems to be a separate bug giving the file extension issue previously reported on https://github.com/yihui/knitr-examples/issues/54#issuecomment-318841217