[dvipdfmx] pstricks+xetex+dvipdfmx file access
Karl Berry
karl at freefriends.org
Tue Nov 16 00:08:52 CET 2021
Shunsaku and all - sorry to be writing from a place of ignorance, but:
As far as I know, to support pstricks with xetex+(x)dvipdfmx, right now
it's necessary to call gs with both -dALLOWPSTRANSPARENCY and -dNOSAFER.
This is what dvipdfmx-unsafe.cfg does.
We have been told by the gs developers (thanks to Bruno V for pursuing
all this) that -dALLOWPSTRANSPARENCY will be both a) required to enable
the transparency operators, and also b) unsafe to use with untrusted
documents, for the foreseeable future. Nothing we can do about that.
(Well, unless someone wants to fork gs. :)
Here, I'm wondering about -dNOSAFER, which is even less safe than
-dALLOWPSTRANSPARENCY, essentially allowing general access to the entire
filesystem, constrained only by system file permissions. E.g., a
PostScript special buried in some TeX document could trivially write to
~/.ssh/id_rsa[.pub]. Clearly not good.
My understanding is that -dNOSAFER is required because reading various
PS headers is delegated to Ghostscript itself. Looks like that happens
in spc_dvips.c, spc_handler_ps_tricks_render etc., a number of lines like:
fprintf(fp, "(%s) run\n", global_defs);
So ... instead of having Ghostscript read the files off the filesystem,
would it be possible for dvipdfmx to look up the header and insert it
into the code? Which is, I believe, what dvips does, and thus why the
dvips route does not require -dNOSAFER.
It would be most excellent if we could avoid the requirement for
-dNOSAFER, instead of living by luck that no one has bothered to exploit
the problem.
wdyt? --thanks, karl.
More information about the dvipdfmx
mailing list.