[texhax] On \centerline, etc. (AMS LaTeX)
Uwe Lück
uwe.lueck at web.de
Thu Oct 25 14:21:31 CEST 2012
Am Sonntag, den 07.10.2012, 04:35 +0200 schrieb Reinhard Kotucha:
> On 2012-10-06 at 23:05:28 +0200, Uwe Lück wrote:
> > For that purpose, it may be a good idea to redefine Plain TeX
> > macros or even some primitives so they produce error messages
> > saying "Please replace #1 by ... according to the guidelines
> > for submissions".
>
> This is at least partly done by the onlyamsmath package
> and I suppose that l2tabu has the same goal.
Different publishers/journals have different guidelines,
so l2tabu badly can aim at them. I rather think that its athours
should think and write about their goals.
> > However, it may be difficult to defeat the Plain TeX guerilla for
> > good, who will reintroduce Plain TeX constructs by \newcommand
> > under new names, such as \xirtam.
> > I have just started to think how you can attack the journal's LaTeX
> > guard in your submission, and how the guard in turn can protect the
> > journal from certain types of Plain TeX attacks in advance, and
> > what new types of attacks could be invented ... finally you might
> > submit something not for the reputation of getting something
> > published, rather just for enjoying a successful Plain TeX attack.
>
> I'm not convinced that Plain TeX is less secure than LaTeX. As you
> said yourself, there is \newcommand. TeX Live provides protection
> already:
>
> shell_escape.tex = f
> shell_escape.initex = f
>
> % Allow TeX \openin, \openout, or \input on filenames starting with `.'
> % (e.g., .rhosts) or outside the current tree (e.g., /etc/passwd)?
> % a (any) : any file can be opened.
> % r (restricted) : disallow opening "dotfiles".
> % p (paranoid) : as `r' and disallow going to parent directories, and
> % restrict absolute paths to be under $TEXMFOUTPUT.
> openout_any = p
> openin_any = a
>
> Since files in parent directories cannot be [over]written, it's safe
> to put non-trusted stuff into subdirs and load it with
> \include{dir/file}. The default setting of openin_any is quite
> insecure, it's easy enough to write TeX code which puts your private
> ssh key into a PDF file, even invisibly. If you have to process
> material from people you don't trust, it's advisable to change this
> setting.
>
> You, as a TeX programmer, probably have something different in mind:
> If a publisher has to \include many files, one file could break files
> included later. This can be solved by including each file within a
> group, but I'm not sure whether it's safe to \let\aftergroup\relax.
> Not to mention \global, \globaldefs, ...
? By "Plain TeX attack" I only meant placing a Plain TeX construct in a
paper although the staff has spent years developing strategies and
macros to keep Plain TeX constructs out. A funny game against another
funny game. Or a kind of fundamentalist suicide attack.
Cheers,
Uwe.
More information about the texhax
mailing list