[tex-live] Status of restricted \write18 and epstopdf conversion
Alexander Cherepanov
cherepan at mccme.ru
Sun Oct 18 22:39:43 CEST 2009
Hi Manuel!
On Sun, 18 Oct 2009 01:35:53 +0200, Manuel Pégourié-Gonnard <mpg at elzevir.fr> wrote:
>> And you can use backslash as a path separator on cygwin:
>>
>> ./repstopdf --outfile='dir\..\..\..\out.pdf' input.eps
>>
>> (tested on cygwin1.5 only).
> Ok. Cygwin is quite complicated to get right, being sort of a mix of
Definitely.
> Unix and Windows. Thanks again for this information.
>> Approximate patch:
> It looks like a good start at first glance. I'll review it more
> thoroughly tomorrow (too tired now) and apply it.
>> + # disallow quote
>> + $ok = 0 if $OutputFilename =~ /"/;
>> + # disallow newline (just to be on a safe side)
>> + $ok = 0 if $OutputFilename =~ /\n/;
> This is not enough to prevent injection.
>
> repstopdf --debug --outfile="$(echo hi >~/pwned; echo foo.pdf)" foo.eps
(probably you mean single quotes here, so command substitution happens
when calling gs, not when calling repstopdf)
> still gives arbitrary command execution. This one can be circumvented,
> at least on Unix, by quoting the outfile name with single quotes (and
> then disallow single quote in the value, or better escape them (since a
> legitimate user might want to use single quotes in his file names).
I've also thought about all this quoting but only after sending the
email out:-( That requires some work...
Other issue here is environment variables like %TEMP% on Windows.
> But I'm thinking it would probably be better to use the list form of
> system() so that we avoid to call a shell at all, to really prevent
> injection.
This is also not that easy but you seem to manage it (just received
your next mail), nice. Will look into the new version now.
Alexander Cherepanov
More information about the tex-live
mailing list