[luatex] io.popen security (was: slow io.popen)

Taco Hoekwater taco at elvenkind.com
Tue Jan 29 10:02:02 CET 2013


On 01/28/2013 11:23 PM, Stephan Hennig wrote:
> Am 27.01.2013 11:37, schrieb Taco Hoekwater:
>
>> The extra slowness on linux is as expected: texlua has some extra
>> code in io that is needed for 'luatex' mode,
>
> While reading your answer, I immediately thought that 'luatex' mode must
> have something to do with sanitizing the argument to popen.  But I'm
> indeed able to remove arbitrary files in the files system by saying
>
>    io.popen('rm -f whatever')
>
> Shouldn't popen in luatex/texlua be kept from executing arbitrary
> commands similar to the \write18 feature?

On my system,

   \directlua { assert(io.popen('rm -f whatever')) }

produces:

   ! LuaTeX error [string "\directlua "]:1: Command execution disabled
   via shell_escape='p'

as it should.

   This is LuaTeX, Version beta-0.75.0-2013010711 (rev 4532)  (INITEX)

Best wishes,
Taco



More information about the luatex mailing list