texlive[58283] Build/source/texk/web2c/lib: Disable commands
commits+kakuto at tug.org
commits+kakuto at tug.org
Fri Mar 12 00:48:40 CET 2021
Revision: 58283
http://tug.org/svn/texlive?view=revision&revision=58283
Author: kakuto
Date: 2021-03-12 00:48:40 +0100 (Fri, 12 Mar 2021)
Log Message:
-----------
Disable commands containing a character '|' for write18 in restricted mode for security.
Modified Paths:
--------------
trunk/Build/source/texk/web2c/lib/ChangeLog
trunk/Build/source/texk/web2c/lib/texmfmp.c
Modified: trunk/Build/source/texk/web2c/lib/ChangeLog
===================================================================
--- trunk/Build/source/texk/web2c/lib/ChangeLog 2021-03-11 23:05:10 UTC (rev 58282)
+++ trunk/Build/source/texk/web2c/lib/ChangeLog 2021-03-11 23:48:40 UTC (rev 58283)
@@ -1,3 +1,8 @@
+2021-03-12 Akira Kakuto <kakuto at w32tex.org>
+
+ * texmfmp.c: Disable commands containing a character '|' for
+ write18 in restricted mode for security.
+
2021-01-01 Akira Kakuto <kakuto at w32tex.org>
* printversion.c: Update copyright year.
Modified: trunk/Build/source/texk/web2c/lib/texmfmp.c
===================================================================
--- trunk/Build/source/texk/web2c/lib/texmfmp.c 2021-03-11 23:05:10 UTC (rev 58282)
+++ trunk/Build/source/texk/web2c/lib/texmfmp.c 2021-03-11 23:48:40 UTC (rev 58283)
@@ -610,8 +610,18 @@
if (allow == 1)
status = system (cmd);
- else if (allow == 2)
+ else if (allow == 2) {
+/*
+ command including a character '|' is not allowed in
+ restricted mode for security.
+*/
+ size_t k;
+ for (k = 0; k < strlen (safecmd); k++) {
+ if (safecmd[k] == '|')
+ return 0;
+ }
status = system (safecmd);
+ }
/* Not really meaningful, but we have to manage the return value of system. */
if (status != 0)
More information about the tex-live-commits
mailing list.