[tex-live] Security issues for restricted shell escape
Heiko Oberdiek
oberdiek at uni-freiburg.de
Fri Jul 17 19:28:11 CEST 2009
Hello,
texmf.cnf contains in current pretest:
| % Enable system commands via \write18{...}. When enabled fully (set to
| % 1), obviously insecure. When enabled partially (set to p), only the
| % commands listed in shell_escape_commands are allowed. Although this
| % is not fully secure either, it is much better, and so useful that we
| % enable it for everything but bare tex.
| shell_escape = p
|
| % No spaces in this command list.
| shell_escape_commands = \
| bibtex,convert,dvips,epstopdf,epspdf,etex,fc-match,gnuplot,\
| kpsewhich,latex,luatex,lualatex,makeindex,mpost,\
| pdfcrop,pdflatex,pdfluatex,ps2pdf,ps4pdf,pstopdf,pygmentize,\
| tex,texexec,texmfstart,ulqda\
|
| % plain TeX should remain unenhanced.
| shell_escape.tex = f
Setting "p" isn't much better than "1". The security holes are
huge. Many programs of the command list allow the execution
of arbitrary programs, examples:
* The call of "tex -shell-escape" with embedded calls to arbitrary
programs is possible; the same for the other TeX variants.
* Version 1.17 closes some security holes in pdfcrop
(using -dSAFER for ghostscript, -no-shell-escape,
and validating arguments.) However it allows the configuration
of programs that are called by the script (Ghostscript,
pdfTeX or XeTeX). At least I have forbidden backticks and
whitespace and the arguments are under the control of pdfcrop.
However there might be malicious programs that igore their
arguments ...
* ...
Yours sincerely
Heiko <oberdiek at uni-freiburg.de>
More information about the tex-live
mailing list