[luatex] Make luatex security wrappers available
luigi scarso
luigi.scarso at gmail.com
Fri Jan 24 14:53:34 CET 2025
On Fri, 24 Jan 2025 at 13:06, Lukas Heindl via luatex <luatex at tug.org>
wrote:
> Hi,
>
> alright, I see.
>
> There is one (not security critical) odd thing regarding these wrappers.
> Why do you check names/paths for output and input regarding kpse when
> wrapping mkdir? [1]
> Checking if it's a valid output totally makes sense, but why also check if
> it's a valid output?
> (sorry for bothering again, but since this is security related, I don't
> want to silently ignore this here)
>
> I see according to git blame this was changed ~1 year ago when adding the
> wrapper but maybe someone still knows the rational behind this.
> Also to be clear, I'm not seeking to remove the additional check in
> luatex, I just want to understand (and react based on it for the custom
> wrapper I'm writing).
>
>
iirc to be safe with in/out names, see kpathsea.info 5.6.4 Auxiliary tasks .
--
luigi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/luatex/attachments/20250124/f537e4e4/attachment.htm>
More information about the luatex
mailing list.