[luatex] io.popen security (was: slow io.popen)
Taco Hoekwater
taco at elvenkind.com
Tue Jan 29 10:02:02 CET 2013
On 01/28/2013 11:23 PM, Stephan Hennig wrote:
> Am 27.01.2013 11:37, schrieb Taco Hoekwater:
>
>> The extra slowness on linux is as expected: texlua has some extra
>> code in io that is needed for 'luatex' mode,
>
> While reading your answer, I immediately thought that 'luatex' mode must
> have something to do with sanitizing the argument to popen. But I'm
> indeed able to remove arbitrary files in the files system by saying
>
> io.popen('rm -f whatever')
>
> Shouldn't popen in luatex/texlua be kept from executing arbitrary
> commands similar to the \write18 feature?
On my system,
\directlua { assert(io.popen('rm -f whatever')) }
produces:
! LuaTeX error [string "\directlua "]:1: Command execution disabled
via shell_escape='p'
as it should.
This is LuaTeX, Version beta-0.75.0-2013010711 (rev 4532) (INITEX)
Best wishes,
Taco
More information about the luatex
mailing list