texlive[66407] Build/extra/epstopdf: 2.31: disallow --nosafer and
commits+karl at tug.org
commits+karl at tug.org
Tue Mar 7 00:44:49 CET 2023
Revision: 66407
http://tug.org/svn/texlive?view=revision&revision=66407
Author: karl
Date: 2023-03-07 00:44:49 +0100 (Tue, 07 Mar 2023)
Log Message:
-----------
2.31: disallow --nosafer and pipes in restricted mode
Modified Paths:
--------------
trunk/Build/extra/epstopdf/Makefile
trunk/Build/extra/epstopdf/epstopdf.1
trunk/Build/extra/epstopdf/epstopdf.pl
Modified: trunk/Build/extra/epstopdf/Makefile
===================================================================
--- trunk/Build/extra/epstopdf/Makefile 2023-03-06 22:58:37 UTC (rev 66406)
+++ trunk/Build/extra/epstopdf/Makefile 2023-03-06 23:44:49 UTC (rev 66407)
@@ -24,8 +24,10 @@
check-output \
check-pdfversion \
check-percent \
+ check-restricted-nosafer \
check-restricted-device \
check-restricted-gscmd \
+ check-restricted-outfile \
check-restricted-safe-in check-restricted-safe-out \
check-simple \
check-tn5002 \
@@ -56,6 +58,13 @@
$(re2p) --gsopt=-dAutoFilterColorImages=true test-simple.eps
! $(re2p) --gsopt=-dNOSAFER=false test-simple.eps
+check-restricted-nosafer: $(re2p_script)
+ ! $(re2p) --nosafer test-simple.eps -o test-nosafer.pdf
+
+check-restricted-outfile: $(re2p_script)
+ ! $(re2p) test-simple.eps -o "%pipe%echo should not echo"
+ ! $(re2p) test-simple.eps -o "|echo should not echo"
+
check-restricted-safe-in: $(re2p_script)
! $(re2p) /unsafe/in.eps
@@ -170,10 +179,15 @@
rm -rf $(prg)
# upload .tar.gz to ctan.org/upload, mv .html ~www/$(prg).
+# compare cwd against last release
+orig_epstopdf = /home/texlive/trunk/Master/texmf-dist/scripts/epstopdf/epstopdf.pl
+dist-diff:
+ diff -u0 $(orig_epstopdf) $(prg).pl
+
groff = groff
groff_opts = -man -t
pspdf = ps2pdf -sPAPERSIZE=a4
-$(prg).man1.pdf: $(prg).1
+$(prg).man1.pdf pdf: $(prg).1
$(groff) $(groff_opts) $< | $(pspdf) - $@
$(prg).html: $(prg).1
$(groff) $(groff_opts) -Thtml $< >$@
Modified: trunk/Build/extra/epstopdf/epstopdf.1
===================================================================
--- trunk/Build/extra/epstopdf/epstopdf.1 2023-03-06 22:58:37 UTC (rev 66406)
+++ trunk/Build/extra/epstopdf/epstopdf.1 2023-03-06 23:44:49 UTC (rev 66407)
@@ -1,4 +1,4 @@
-.TH EPSTOPDF 1 "29 August 2022"
+.TH EPSTOPDF 1 "6 March 2023"
.\" $Id$
.SH NAME
epstopdf, repstopdf \- convert an EPS file to PDF
@@ -62,7 +62,7 @@
scan HiresBoundingBox (default: false).
.IP "\fB--restricted\fP=\fIval\fP"
turn on restricted mode (default: [true for repstopdf, else false]);
-this forbids the use of \fB--gscmd\fP and other options and imposes
+this forbids the use of \fB--gscmd\fP, among other options, and imposes
restrictions on the input and output file names according to the values
of openin_any and openout_any (see the Web2c manual, https://tug.org/web2c).
On Windows, the Ghostscript command is forced to be the TeX Live builtin
@@ -108,12 +108,12 @@
options \fB--gsopts\fP and \fB--gsopt.\fP
.PP
\fB--gsopts\fP takes a single string of options, which is split at
-whitespace, each resulting word then added to the gs command line
+whitespace; each resulting word then added to the gs command line
individually.
.PP
\fB--gsopt\fP adds its argument as a single option to the gs command
-line. It can be used multiple times to specify options separately,
-and is necessary if an option or its value contains whitespace.
+line. It can be used multiple times to specify options separately.
+This must be used if a gs option or its value contains whitespace.
.PP
In restricted mode, options are limited to those with names and values
known to be safe. Some options taking booleans, integers or fixed
@@ -135,7 +135,7 @@
.PP
Example for \fBepstopdf\fP's attempt at correcting PostScript:
.nf
-$program --nogs test.ps >testcorr.ps
+epstopdf --nogs test.ps >testcorr.ps
.fi
.PP
In all cases, you can add \fB--debug\fP (\fB-d\fP) to see more about
@@ -144,9 +144,10 @@
The case of "%%BoundingBox: (atend)" when input is not seekable (e.g.,
from a pipe) is not supported.
.PP
-Report bugs in the program or this man page to tex-k at tug.org. When
-reporting bugs, please include an input file and the command line
-options specified, so the problem can be reproduced.
+Report bugs in the program or this man page to tex-k at tug.org
+(https://lists.tug.org/tex-live). When reporting bugs, please include an
+input file and the command line options specified, so the problem can be
+reproduced.
.SH SEE ALSO
\fBgs\fP(1),
\fBpdfcrop\fP(1).
@@ -163,3 +164,6 @@
epstopdf home page: https://tug.org/epstopdf.
.PP
You may freely use, modify and/or distribute this man page.
+The epstopdf script is released under a modified BSD license.
+.PP
+$Id$
Modified: trunk/Build/extra/epstopdf/epstopdf.pl
===================================================================
--- trunk/Build/extra/epstopdf/epstopdf.pl 2023-03-06 22:58:37 UTC (rev 66406)
+++ trunk/Build/extra/epstopdf/epstopdf.pl 2023-03-06 23:44:49 UTC (rev 66407)
@@ -35,7 +35,11 @@
#
# emacs-page
#
-my $ver = "2.30";
+my $ver = "2.31";
+# 2023/03/06 v2.31 (Karl Berry)
+# * disallow --nosafer in restricted mode.
+# * disallow output to pipes in restricted mode.
+# Report from nikolay.ermishkin to tlsecurity.
# 2022/09/05 v2.30 (Siep Kroonenberg)
# * still use gswin32c if gswin64c.exe not on PATH.
# 2022/08/29 v2.29 (Karl Berry)
@@ -195,7 +199,7 @@
my $program = "epstopdf";
my $ident = '($Id$)' . " $ver";
my $copyright = <<END_COPYRIGHT ;
-Copyright 2009-2022 Karl Berry et al.
+Copyright 2009-2023 Karl Berry et al.
Copyright 2002-2009 Gerben Wierda et al.
Copyright 1998-2001 Sebastian Rahtz et al.
License RBSD: Revised BSD <http://www.xfree86.org/3.3.6/COPYRIGHT2.html#5>
@@ -498,8 +502,9 @@
my $mydirname = dirname $0;
# $mydirname is the location of the Perl script
$kpsewhich = "$mydirname/../../../bin/win32/$kpsewhich";
+ debug "Restricted Windows kpsewhich: $kpsewhich";
$GS = "$mydirname/../../../tlpkg/tlgs/bin/$GS";
- debug "restricted Windows gs: $GS";
+ debug "Restricted Windows gs: $GS";
}
debug "kpsewhich command: $kpsewhich";
@@ -512,7 +517,8 @@
$option = '-safe-out-name' if $mode eq 'out';
error "Unknown check mode in safe_name(): $mode" unless $option;
my @args = ($kpsewhich, '-progname', 'repstopdf', $option, $name);
- my $bad = system {$args[0]} @args;
+ debug "Checking safe_name with: @args";
+ my $bad = system { $args[0] } @args;
return ! $bad;
}
@@ -569,10 +575,21 @@
}
}
+### option (no)safer
+my $gs_opt_safer = "-dSAFER";
+if (! $::opt_safer) {
+ if ($restricted) {
+ error "Option forbidden in restricted mode: --nosafer";
+ } else {
+ debug "Switching from $gs_opt_safer to -dNOSAFER";
+ $gs_opt_safer = "--nosafer";
+ }
+}
+
### start building GS command line for the pipe
my @GS = ($GS);
push @GS, '-q' if $::opt_quiet;
-push @GS, $::opt_safer ? '-dSAFER' : '-dNOSAFER';
+push @GS, $gs_opt_safer;
push @GS, '-dNOPAUSE';
push @GS, '-dBATCH';
push @GS, '-dCompatibilityLevel=1.5';
@@ -609,7 +626,13 @@
$OutputFilename = "-";
}
}
-$OutputFilename =~ s/%/%%/g; # we will do the escaping for gs
+#
+# gs -sOutputFilename opens pipes itself if the string starts with
+# %pipe or |. Disallow this in restricted mode.
+if ($restricted && $OutputFilename =~ /^(%pipe|\|)/) {
+ error "Output to pipe forbidden in restricted mode: $OutputFilename";
+}
+$OutputFilename =~ s/%/%%/g; # stop gs interpretation of % characters
debug "Output filename:", $OutputFilename;
push @GS, "-sOutputFile=$OutputFilename";
@@ -737,6 +760,7 @@
debug "No Ghostscript: opening $OutputFilename";
if ($OutputFilename eq "-") {
$OUT = *STDOUT;
+ $outname = "-";
} else {
open($OUT, '>', $OutputFilename)
|| error ("Cannot write \"$OutputFilename\": $!");
@@ -795,7 +819,7 @@
debug " No checksum";
}
else {
- debug " checksum: $checksum";
+ debug " Checksum: $checksum";
my $cs = 0;
map { $cs ^= $_ } unpack('n14', $header);
if ($cs != $checksum) {
More information about the tex-live-commits
mailing list.