[luatex] Security review for extractbb.lua
Joseph Wright
joseph at texdev.net
Mon Nov 18 09:20:09 CET 2024
On 17/11/2024 10:16, Max Chernoff via luatex wrote:
> Hi all,
>
> We're considering replacing the "extractbb" program with a new
> implementation written in Lua:
>
> https://github.com/gucci-on-fleek/extractbb
>
> Because "extractbb" is allowed to run in restricted shell-escape mode, I
> want to make sure that the new implementation is secure.
>
> Is there anyone here interested in doing a security review? If so, then
> please send any comments/suggestions in a reply to this list, to me
> privately, or on the linked GitHub page. I'm mainly interested in the
> `source/extractbb-scratch.lua` file, but I'm definitely open to
> suggestions for the other files as well.
No expert on security, but looks well thought-out to me - very nice. I
guess the C-binding is the tricky part, but that's well outside my area
of expertise.
Joseph
P.S. Nice use of l3build :)
More information about the luatex
mailing list.