texlive[69416] Build/source/texk/kpathsea: add "extended"

commits+karl at tug.org commits+karl at tug.org
Sun Jan 14 19:27:55 CET 2024


Revision: 69416
          https://tug.org/svn/texlive?view=revision&revision=69416
Author:   karl
Date:     2024-01-14 19:27:55 +0100 (Sun, 14 Jan 2024)
Log Message:
-----------
add "extended" (TEXMF[SYS]VAR) safe filename mode for LuaLaTeX; bump version to 6.4.0/dev

Modified Paths:
--------------
    trunk/Build/source/texk/kpathsea/ChangeLog
    trunk/Build/source/texk/kpathsea/Makefile.am
    trunk/Build/source/texk/kpathsea/Makefile.in
    trunk/Build/source/texk/kpathsea/NEWS
    trunk/Build/source/texk/kpathsea/c-auto.in
    trunk/Build/source/texk/kpathsea/configure
    trunk/Build/source/texk/kpathsea/doc/kpathsea.info
    trunk/Build/source/texk/kpathsea/doc/kpathsea.texi
    trunk/Build/source/texk/kpathsea/kpsewhich.c
    trunk/Build/source/texk/kpathsea/tex-file.c
    trunk/Build/source/texk/kpathsea/tex-file.h
    trunk/Build/source/texk/kpathsea/version.ac

Added Paths:
-----------
    trunk/Build/source/texk/kpathsea/tests/kpsesafe.test

Modified: trunk/Build/source/texk/kpathsea/ChangeLog
===================================================================
--- trunk/Build/source/texk/kpathsea/ChangeLog	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/ChangeLog	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,3 +1,23 @@
+2024-01-14  Karl Berry  <karl at freefriends.org>
+
+	* version.ac: bump to 6.4.0/dev.
+
+	* tex-file.h (kpathsea_{in,out}_name_ok{,_silent}_extended):
+	four more declarations for extended access checks including
+	TEXMF[SYS]VAR (needed for luaotfload and hence LuaLaTeX).
+	* tex-file.c (abs_fname_ok): new helper fn.
+	(kpathsea_name_ok): new parameter, extended.
+	(kpathsea_{in,out}_ok_name{,_silent}): pass additional false arg.
+	(kpathsea_{in,out}_ok_name{,_silent}{,_extended}): new fns,
+	passing true.
+	* kpsewhich.c (-safe-extended-in-name, -safe-extended-out-name):
+	new options, corresponding variables, calls.	
+	* doc/kpathsea.texi (Safe filenames): new node to document this.
+	(Security): update.
+	(Global font cache and security): split off new node from Security.
+	* Makefile.am (TESTS): add kpsesafe.test.
+	* tests/kpsesafe.test: new test.
+
 2023-10-11  Karl Berry  <karl at tug.org>
 
 	* texmf.cnf (shell_escape_commands): add memoize-extract.pl and .py,

Modified: trunk/Build/source/texk/kpathsea/Makefile.am
===================================================================
--- trunk/Build/source/texk/kpathsea/Makefile.am	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/Makefile.am	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,7 +1,7 @@
 ## $Id$
 ## Makefile.am for the TeX Live subdirectory texk/kpathsea/
 ##
-## Copyright 2015-2020 Karl Berry <tex-live at tug.org>
+## Copyright 2015-2024 Karl Berry <tex-live at tug.org>
 ## Copyright 2009-2015 Peter Breitenlohner <tex-live at tug.org>
 ## You may freely use, modify and/or distribute this file.
 
@@ -278,10 +278,11 @@
 TESTS  = tests/cnfline.test tests/cnfnewline.test
 TESTS += tests/cnfnull.test tests/cnfprog.test
 TESTS += tests/kpseaccess.test
-TESTS += tests/kpsereadlink.test tests/kpsestat.test tests/kpsewhich.test
+TESTS += tests/kpsereadlink.test
+TESTS += tests/kpsesafe.test tests/kpsestat.test tests/kpsewhich.test
 #
 tests/cnfline.log tests/cnfnewline.log tests/cnfnull.log tests/cnfprog.log \
-  tests/kpsewhich.log: kpsewhich$(EXEEXT)
+  tests/kpsesafe.log tests/kpsewhich.log: kpsewhich$(EXEEXT)
 tests/kpseaccess.log: kpseaccess$(EXEEXT)
 tests/kpsereadlink.log: kpsereadlink$(EXEEXT)
 tests/kpsestat.log: kpsestat$(EXEEXT)

Modified: trunk/Build/source/texk/kpathsea/Makefile.in
===================================================================
--- trunk/Build/source/texk/kpathsea/Makefile.in	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/Makefile.in	2024-01-14 18:27:55 UTC (rev 69416)
@@ -865,8 +865,8 @@
 #
 TESTS = tests/cnfline.test tests/cnfnewline.test tests/cnfnull.test \
 	tests/cnfprog.test tests/kpseaccess.test \
-	tests/kpsereadlink.test tests/kpsestat.test \
-	tests/kpsewhich.test
+	tests/kpsereadlink.test tests/kpsesafe.test \
+	tests/kpsestat.test tests/kpsewhich.test
 
 # Rebuild
 rebuild_prereq = 
@@ -2437,7 +2437,7 @@
 	done
 #
 tests/cnfline.log tests/cnfnewline.log tests/cnfnull.log tests/cnfprog.log \
-  tests/kpsewhich.log: kpsewhich$(EXEEXT)
+  tests/kpsesafe.log tests/kpsewhich.log: kpsewhich$(EXEEXT)
 tests/kpseaccess.log: kpseaccess$(EXEEXT)
 tests/kpsereadlink.log: kpsereadlink$(EXEEXT)
 tests/kpsestat.log: kpsestat$(EXEEXT)

Modified: trunk/Build/source/texk/kpathsea/NEWS
===================================================================
--- trunk/Build/source/texk/kpathsea/NEWS	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/NEWS	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,6 +1,13 @@
 $Id$
 This file records noteworthy changes.  (Public domain.)
 
+6.4.0 (for TeX Live 2024)
+* Support an extended check for safe filenames, also allowing
+  TEXMF[SYS]VAR, for Lua(La)TeX; new functions and corresponding
+  kpsewhich options.
+* Allow the new variable TEXMF_OUTPUT_DIRECTORY (as well as TEXMFOUTPUT),
+  so that subprograms can have access to an --output-directory setting.
+
 6.3.5 (for TeX Live 2023, 9 March 2023)
 * Support guessing input file encodings for Unix-ish platforms, as on
   Windows; enabled for (e)p(la)tex, pbibtex, mendex.

Modified: trunk/Build/source/texk/kpathsea/c-auto.in
===================================================================
--- trunk/Build/source/texk/kpathsea/c-auto.in	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/c-auto.in	2024-01-14 18:27:55 UTC (rev 69416)
@@ -23,7 +23,7 @@
 #define KPATHSEA_C_AUTO_H
 
 /* kpathsea: the version string. */
-#define KPSEVERSION "kpathsea version 6.3.6/dev"
+#define KPSEVERSION "kpathsea version 6.4.0/dev"
 
 /* Define to 1 if the 'closedir' function returns void instead of int. */
 #undef CLOSEDIR_VOID

Modified: trunk/Build/source/texk/kpathsea/configure
===================================================================
--- trunk/Build/source/texk/kpathsea/configure	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/configure	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72 for Kpathsea 6.3.6/dev.
+# Generated by GNU Autoconf 2.72 for Kpathsea 6.4.0/dev.
 #
 # Report bugs to <tex-k at tug.org>.
 #
@@ -614,8 +614,8 @@
 # Identity of this package.
 PACKAGE_NAME='Kpathsea'
 PACKAGE_TARNAME='kpathsea'
-PACKAGE_VERSION='6.3.6/dev'
-PACKAGE_STRING='Kpathsea 6.3.6/dev'
+PACKAGE_VERSION='6.4.0/dev'
+PACKAGE_STRING='Kpathsea 6.4.0/dev'
 PACKAGE_BUGREPORT='tex-k at tug.org'
 PACKAGE_URL=''
 
@@ -1372,7 +1372,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-'configure' configures Kpathsea 6.3.6/dev to adapt to many kinds of systems.
+'configure' configures Kpathsea 6.4.0/dev to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1443,7 +1443,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Kpathsea 6.3.6/dev:";;
+     short | recursive ) echo "Configuration of Kpathsea 6.4.0/dev:";;
    esac
   cat <<\_ACEOF
 
@@ -1572,7 +1572,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Kpathsea configure 6.3.6/dev
+Kpathsea configure 6.4.0/dev
 generated by GNU Autoconf 2.72
 
 Copyright (C) 2023 Free Software Foundation, Inc.
@@ -2353,7 +2353,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Kpathsea $as_me 6.3.6/dev, which was
+It was created by Kpathsea $as_me 6.4.0/dev, which was
 generated by GNU Autoconf 2.72.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3131,10 +3131,10 @@
 
 
 
-KPSEVERSION=6.3.6/dev
+KPSEVERSION=6.4.0/dev
 
 
-KPSE_LT_VERSINFO=9:6:3
+KPSE_LT_VERSINFO=10:0:4
 
 
 
@@ -8924,7 +8924,7 @@
 
 # Define the identity of the package.
  PACKAGE='kpathsea'
- VERSION='6.3.6/dev'
+ VERSION='6.4.0/dev'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -15940,7 +15940,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Kpathsea $as_me 6.3.6/dev, which was
+This file was extended by Kpathsea $as_me 6.4.0/dev, which was
 generated by GNU Autoconf 2.72.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -16008,7 +16008,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-Kpathsea config.status 6.3.6/dev
+Kpathsea config.status 6.4.0/dev
 configured by $0, generated by GNU Autoconf 2.72,
   with options \\"\$ac_cs_config\\"
 

Modified: trunk/Build/source/texk/kpathsea/doc/kpathsea.info
===================================================================
--- trunk/Build/source/texk/kpathsea/doc/kpathsea.info	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/doc/kpathsea.info	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,9 +1,9 @@
-This is kpathsea.info, produced by makeinfo version 6.5 from
+This is kpathsea.info, produced by makeinfo version 7.1 from
 kpathsea.texi.
 
 This file documents the Kpathsea library for path searching.
 
-   Copyright (C) 1996-2023 Karl Berry & Olaf Weber.
+   Copyright © 1996-2024 Karl Berry & Olaf Weber.
 
    Permission is granted to make and distribute verbatim copies of this
 manual provided the copyright notice and this permission notice are
@@ -37,7 +37,7 @@
 ****************
 
 This manual documents the Kpathsea library for path searching.  It
-corresponds to version 6.3.5, released in October 2023.
+corresponds to version 6.4.0, released in January 2024.
 
 * Menu:
 
@@ -61,8 +61,8 @@
 1 Introduction
 **************
 
-This manual corresponds to version 6.3.5 of the Kpathsea library,
-released in October 2023.
+This manual corresponds to version 6.4.0 of the Kpathsea library,
+released in January 2024.
 
    The library's fundamental purpose is to return a filename from a list
 of directories specified by the user, similar to what shells do when
@@ -71,11 +71,11 @@
    The following software, all of which is maintained in parallel, uses
 this library:
 
-   * Dviljk (see the 'dvilj' man page)
-   * Dvipsk (*note (dvips)::)
-   * GNU font utilities (*note (fontu)::)
-   * Web2c (*note (web2c)::)
-   * Xdvik (see the 'xdvi' man page)
+   • Dviljk (see the ‘dvilj’ man page)
+   • Dvipsk (*note (dvips)::)
+   • GNU font utilities (*note (fontu)::)
+   • Web2c (*note (web2c)::)
+   • Xdvik (see the ‘xdvi’ man page)
 
 Other software that we do not maintain also uses it.
 
@@ -99,7 +99,7 @@
 
    If you know enough about TeX to be reading this manual, then you (or
 your institution) should consider joining the TeX Users Group (if you're
-already a member, thanks!).  TUG produces the periodical 'TUGboat',
+already a member, thanks!).  TUG produces the periodical ‘TUGboat’,
 sponsors an annual meeting and publishes the proceedings, and arranges
 courses on TeX for all levels of users throughout the world.  See
 <https://tug.org> for information.
@@ -117,7 +117,7 @@
 This section is for those people who are curious about how the library
 came about.  If you like to read historical accounts of software, we
 urge you to seek out the GNU Autoconf manual and the "Errors of TeX"
-paper by Don Knuth, published in his book 'Digital Typography', among
+paper by Don Knuth, published in his book ‘Digital Typography’, among
 other places.
 
    [Karl writes.]  My first ChangeLog entry for Web2c seems to be
@@ -125,11 +125,11 @@
 Tim Morgan and I were jointly maintaining it for a time.  (I should
 mention here that Tim had made Web2c into a real distribution long
 before I had ever used it or even heard of it, and Tom Rokicki did the
-original implementation.  When I started, I was using 'pxp' and 'pc' on
+original implementation.  When I started, I was using ‘pxp’ and ‘pc’ on
 VAX 11/750's and the hot new Sun 2 machines.)
 
    It must have been later in 1990 and 1991 that I started working on
-'TeX for the Impatient'.  Dvips, Xdvi, Web2c, and the GNU fontutils
+‘TeX for the Impatient’.  Dvips, Xdvi, Web2c, and the GNU fontutils
 (which I was also writing at the time) all used different environment
 variables, and, more importantly, had different bugs in their path
 searching.  This became extremely painful, as I was stressing everything
@@ -136,7 +136,7 @@
 to the limit working on the book.  I also desperately wanted to
 implement subdirectory searching, since I couldn't stand putting
 everything in one big directory, and also couldn't stand having to
-explicitly specify 'cm', 'pandora', ... in a path.
+explicitly specify ‘cm’, ‘pandora’, ... in a path.
 
    In the first incarnation, I just hacked separately on each
 program--that was the original subdirectory searching code in both Xdvi
@@ -198,7 +198,7 @@
 
 File: kpathsea.info,  Node: unixtex.ftp,  Next: Security,  Prev: Introduction,  Up: Top
 
-2 'unixtex.ftp': Obtaining TeX
+2 ‘unixtex.ftp’: Obtaining TeX
 ******************************
 
 This is <ftp://tug.org/tex/unixtex.ftp>, a.k.a.
@@ -216,7 +216,7 @@
 part of TeX Live.
 
    The host ftp.cs.stanford.edu is the original source for the files for
-which Donald Knuth is directly responsible: 'tex.web', 'plain.tex', etc.
+which Donald Knuth is directly responsible: ‘tex.web’, ‘plain.tex’, etc.
 However, unless you want to undertake the project of building your TeX
 system from scratch, it is more reliable and less work to retrieve these
 files as part of a larger package.
@@ -237,51 +237,95 @@
 privileges, so there's no first-level security concern of people gaining
 illegitimate root access.
 
-   A TeX document, however, can write to arbitrary files, e.g.,
-'~/.rhosts', and thus an unwitting user who runs TeX on a random
-document is vulnerable to a trojan horse attack.  This loophole is
-closed by default, but you can be permissive if you so desire in
-'texmf.cnf'.  *Note (web2c)tex invocation::.  MetaPost has the same
-issue.
+   Thus, the general goal of our security measures is to make an
+untrusted TeX document safe to execute, in the sense of no document
+being able to change the system or user configuration, or somehow
+transmit information to an attacker.  Here are some of the steps that
+have been taken to make the TeX system safe in this regard:
 
-   Dvips, Xdvi, and TeX can also execute shell commands under some
-circumstances.  To disable this, see the '-R' option in *note
-(dvips)Option details::, the xdvi man page, and *note (web2c)tex
-invocation::, respectively.
+   • A TeX document can write to arbitrary files via ‘\openout’, e.g.,
+     ‘~/.profile’, and thus an unwitting user who runs TeX on an
+     untrusted document is vulnerable to a trojan horse attack.  This
+     loophole is closed by default, but you can be permissive if you so
+     desire in ‘texmf.cnf’.  *Note (web2c)tex invocation::.  MetaPost
+     has the same issue.
 
-   Another security issue arises because it's very useful--almost
-necessary--to make arbitrary fonts on user demand with 'mktexpk' and
-friends.  Where do these files get installed?  By default, the 'mktexpk'
-distributed with Kpathsea assumes a world-writable '/var/tmp' directory;
-this is a simple and convenient approach, but it may not suit your
-situation because it means that a local cache of fonts is created on
-every machine.
+   • Dvips, Xdvi, TeX, and others can execute shell commands.  By
+     default, only a handful of commands that are believed to be safe
+     (to the best of our ability to check) are allowed.  For the list,
+     see the ‘shell_escape_commands’ variable in ‘texmf.cnf’ (*note
+     (web2c)Shell escapes::).  For more information, e.g., to disable
+     this completely, see the ‘-R’ option in *note (dvips)Option
+     details::, the xdvi man page, and *note (web2c)tex invocation::,
+     respectively.
 
+   • LuaTeX is a special case.  Since Lua is a general-purpose
+     programming language, it has all the usual functionality for
+     writing files, executing shell commands, and plenty more.  When
+     LuaTeX is used in its so-called "kpse" mode, as with LuaLaTeX, we
+     have nevertheless done our best to also make it safe to execute by
+     default, by disabling or restricting the various problematic Lua
+     features.  *Note Safe filenames::, for a bit more about this.  (By
+     the way, when LuaTeX is run in non-kpse mode, as with ConTeXt MkIV,
+     everything is allowed; thus, untrusted documents should not be
+     processed without checking.)
+
+   • There are some well-known ways to crash TeX, using (deliberately
+     unchecked) arithmetic overflow and other nefarious constructs (some
+     are listed at <https://tug.org/texmfbug/nobug.html>.  While
+     disturbing, TeX has no special system access and so these crashes
+     don't present a security risk.
+
+   • One more issue is the desire for a globally writable font cache
+     directory; see the section below for this (*note Global font cache
+     and security::).
+
+* Menu:
+
+* Global font cache and security::
+
+
+File: kpathsea.info,  Node: Global font cache and security,  Up: Security
+
+3.1 Global font cache and security
+==================================
+
+It's useful to make arbitrary fonts on user demand with ‘mktexpk’ and
+friends.  Where do these files get installed?  By default, the ‘mktexpk’
+distributed with Kpathsea assumes a world-writable ‘/var/tmp’ directory;
+this is a simple and convenient approach, but it does not suit all
+situations, because it means that a local cache of fonts is created on
+every user's system.
+
    To avoid this duplication, many people consider a shared, globally
 writable font tree desirable, in spite of the potential security
-problems.  To do this you should change the value of 'VARTEXFONTS' in
-'texmf.cnf' to refer to some globally known directory.  *Note mktex
+problems.  To do this you should change the value of ‘VARTEXFONTS’ in
+‘texmf.cnf’ to refer to some globally known directory.  *Note mktex
 configuration::.
 
    The first restriction you can apply is to make newly-created
-directories under 'texmf' be append-only with an option in 'mktex.cnf'.
+directories under ‘texmf’ be append-only with an option in ‘mktex.cnf’.
 *Note mktex configuration::.
 
    Another approach is to establish a group (or user) for TeX files,
-make the 'texmf' tree writable only to that group (or user), and make
-'mktexpk' et al. setgid to that group (or setuid to that user).  Then
+make the ‘texmf’ tree writable only to that group (or user), and make
+‘mktexpk’ et al. setgid to that group (or setuid to that user).  Then
 users must invoke the scripts to install things.  (If you're worried
 about the inevitable security holes in scripts, then you could write a C
 wrapper to exec the script.)
 
-   The 'mktex...' scripts install files with the same read and write
+   The ‘mktex...’ scripts install files with the same read and write
 permissions as the directory they are installed in.  The executable,
 sgid, suid, and sticky bits are always cleared.
 
-   Any directories created by the 'mktex...' scripts have the same
-permissions as their parent directory, unless the 'appendonlydir'
+   Any directories created by the ‘mktex...’ scripts have the same
+permissions as their parent directory, unless the ‘appendonlydir’
 feature is used, in which case the sticky bit is always set.
 
+   Nowadays, with bitmap files rarely used, and with individual systems
+being so much more powerful, this is less of an issue than it was in the
+past.  But the question still comes up occasionally.
+
 
 File: kpathsea.info,  Node: TeX directory structure,  Next: Path searching,  Prev: Security,  Up: Top
 
@@ -298,53 +342,53 @@
    In short, here is a skeleton of the default directory structure,
 extracted from the TDS document:
 
-     PREFIX/      installation root ('/usr/local' by default)
+     PREFIX/      installation root (‘/usr/local’ by default)
       bin/         executables
       man/         man pages
       include/     C header files
       info/        GNU info files
-      lib/         libraries ('libkpathsea.*')
+      lib/         libraries (‘libkpathsea.*’)
       share/       architecture-independent files
        texmf/      TDS root
         bibtex/     BibTeX input files
          bib/        BibTeX databases
-          base/       base distribution (e.g., 'xampl.bib')
+          base/       base distribution (e.g., ‘xampl.bib’)
           misc/       single-file databases
           PKG/       name of a package
          bst/        BibTeX style files
-          base/       base distribution (e.g., 'plain.bst', 'acm.bst')
+          base/       base distribution (e.g., ‘plain.bst’, ‘acm.bst’)
           misc/       single-file styles
           PKG/       name of a package
         doc/         additional documentation
-        dvips/       '.pro', '.ps', 'psfonts.map'
+        dvips/       ‘.pro’, ‘.ps’, ‘psfonts.map’
         fonts/       font-related files
-         TYPE/         file type (e.g., 'tfm', 'pk')
-          MODE/          type of output device (types 'pk' and 'gf' only)
-           SUPPLIER/       name of a font supplier (e.g., 'public')
-            TYPEFACE/        name of a typeface (e.g., 'cm')
-             dpiNNN/           font resolution (types 'pk' and 'gf' only)
+         TYPE/         file type (e.g., ‘tfm’, ‘pk’)
+          MODE/          type of output device (types ‘pk’ and ‘gf’ only)
+           SUPPLIER/       name of a font supplier (e.g., ‘public’)
+            TYPEFACE/        name of a typeface (e.g., ‘cm’)
+             dpiNNN/           font resolution (types ‘pk’ and ‘gf’ only)
         metafont/    Metafont (non-font) input files
-         base/        base distribution (e.g., 'plain.mf')
-         misc/        single-file packages (e.g., 'modes.mf')
-         PKG/           name of a package (e.g., 'mfpic')
+         base/        base distribution (e.g., ‘plain.mf’)
+         misc/        single-file packages (e.g., ‘modes.mf’)
+         PKG/           name of a package (e.g., ‘mfpic’)
         metapost/    MetaPost input files
-         base/        base distribution (e.g., 'plain.mp')
+         base/        base distribution (e.g., ‘plain.mp’)
          misc/        single-file packages
          PKG/           name of a package
-         support/     support files for MetaPost-related utilities (e.g., 'trfonts.map')
-        mft/         'MFT' inputs (e.g., 'plain.mft')
+         support/     support files for MetaPost-related utilities (e.g., ‘trfonts.map’)
+        mft/         ‘MFT’ inputs (e.g., ‘plain.mft’)
         tex/         TeX input files
-         FORMAT/         name of a format (e.g., 'plain')
-          base/        base distribution for FORMAT (e.g., 'plain.tex')
-          misc/        single-file packages (e.g., 'webmac.tex')
+         FORMAT/         name of a format (e.g., ‘plain’)
+          base/        base distribution for FORMAT (e.g., ‘plain.tex’)
+          misc/        single-file packages (e.g., ‘webmac.tex’)
           local/       local additions to or local configuration files for FORMAT
-          PKG/           name of a package (e.g., 'graphics', 'mfnfss')
+          PKG/           name of a package (e.g., ‘graphics’, ‘mfnfss’)
          generic/     format-independent packages
-          hyphen/      hyphenation patterns (e.g., 'hyphen.tex')
+          hyphen/      hyphenation patterns (e.g., ‘hyphen.tex’)
           images/      image input files (e.g., Encapsulated PostScript)
-          misc/        single-file format-independent packages (e.g., 'null.tex').
-          PKG/           name of a package (e.g., 'babel')
-        web2c/        implementation-dependent files ('.pool', '.fmt', 'texmf.cnf', etc.)
+          misc/        single-file format-independent packages (e.g., ‘null.tex’).
+          PKG/           name of a package (e.g., ‘babel’)
+        web2c/        implementation-dependent files (‘.pool’, ‘.fmt’, ‘texmf.cnf’, etc.)
 
    Some concrete examples for most file types:
 
@@ -395,14 +439,14 @@
 5.1 Searching overview
 ======================
 
-A "search path" is a colon-separated list of "path elements", which are
+A “search path” is a colon-separated list of “path elements”, which are
 directory names with a few extra frills.  A search path can come from (a
-combination of) many sources; see below.  To look up a file 'foo' along
-a path '.:/dir', Kpathsea checks each element of the path in turn: first
-'./foo', then '/dir/foo', returning the first match (or possibly all
+combination of) many sources; see below.  To look up a file ‘foo’ along
+a path ‘.:/dir’, Kpathsea checks each element of the path in turn: first
+‘./foo’, then ‘/dir/foo’, returning the first match (or possibly all
 matches).
 
-   The "colon" and "slash" mentioned here aren't necessarily ':' and '/'
+   The "colon" and "slash" mentioned here aren't necessarily ‘:’ and ‘/’
 on non-Unix systems.  Kpathsea tries to adapt to other operating
 systems' conventions.
 
@@ -413,7 +457,7 @@
 
    If the database does not exist, or does not apply to this path
 element, or contains no matches, the filesystem is searched (if this was
-not forbidden by the specification with '!!' and if the file being
+not forbidden by the specification with ‘!!’ and if the file being
 searched for must exist).  Kpathsea constructs the list of directories
 that correspond to this path element, and then checks in each for the
 file being searched for.  (To help speed future lookups of files in the
@@ -421,9 +465,9 @@
 top of the directory list.)
 
    The "file must exist" condition comes into play with VF files and
-input files read by the TeX '\openin' command.  These files might very
-well not exist (consider 'cmr10.vf'), and so it would be wrong to search
-the disk for them.  Therefore, if you fail to update 'ls-R' when you
+input files read by the TeX ‘\openin’ command.  These files might very
+well not exist (consider ‘cmr10.vf’), and so it would be wrong to search
+the disk for them.  Therefore, if you fail to update ‘ls-R’ when you
 install a new VF file, it will not be found.
 
    Each path element is checked in turn: first the database, then the
@@ -435,7 +479,7 @@
    On Unix-like systems, if no match is found by any of the above, and
 the path element allows checking the filesystem (per the above), a final
 check is made for a case-insensitive match.  Thus, looking for a name
-like './FooBar.TeX' will match a file './foobar.tex', and vice versa.
+like ‘./FooBar.TeX’ will match a file ‘./foobar.tex’, and vice versa.
 This is not done on Windows.  *Note Casefolding search::.
 
    Although the simplest and most common path element is a directory
@@ -442,13 +486,13 @@
 name, Kpathsea supports additional features in search paths: layered
 default values, environment variable names, config file values, users'
 home directories, and recursive subdirectory searching.  Thus, we say
-that Kpathsea "expands" a path element, meaning transforming all the
+that Kpathsea “expands” a path element, meaning transforming all the
 magic specifications into the basic directory name or names.  This
 process is described in the sections below.  It happens in the same
 order as the sections.
 
    Exception to all of the above: If the filename being searched for is
-absolute or explicitly relative, i.e., starts with '/' or './' or '../',
+absolute or explicitly relative, i.e., starts with ‘/’ or ‘./’ or ‘../’,
 Kpathsea simply checks if that file exists, with a fallback to a
 casefolding match if needed and enabled, as described above.
 
@@ -455,12 +499,12 @@
    Ordinarily, if Kpathsea tries to access a file or directory that
 cannot be read, it gives a warning.  This is so you will be alerted to
 directories or files that accidentally lack any read permission (for
-example, a 'lost+found' directory).  If you prefer not to see these
-warnings, include the value 'readable' in the 'TEX_HUSH' environment
+example, a ‘lost+found’ directory).  If you prefer not to see these
+warnings, include the value ‘readable’ in the ‘TEX_HUSH’ environment
 variable or config file value.
 
    This generic path searching algorithm is implemented in
-'kpathsea/pathsearch.c'.  It is employed by a higher-level algorithm
+‘kpathsea/pathsearch.c’.  It is employed by a higher-level algorithm
 when searching for a file of a particular type (*note File lookup::, and
 *note Glyph lookup::).
 
@@ -473,21 +517,21 @@
 A search path or other configuration value can come from many sources.
 In the order in which Kpathsea looks for them:
 
-  1. A command-line option such as '--cnf-line', available in
-     'kpsewhich' and most TeX engines.  *Note Path searching options::.
+  1. A command-line option such as ‘--cnf-line’, available in
+     ‘kpsewhich’ and most TeX engines.  *Note Path searching options::.
 
-     A user-set environment variable, e.g., 'TEXINPUTS'.  Environment
+     A user-set environment variable, e.g., ‘TEXINPUTS’.  Environment
      variables with an underscore and the program name appended
-     override; for example, 'TEXINPUTS_latex' overrides 'TEXINPUTS' if
-     the program being run is named 'latex'.
+     override; for example, ‘TEXINPUTS_latex’ overrides ‘TEXINPUTS’ if
+     the program being run is named ‘latex’.
 
-  2. A program-specific configuration file, e.g., an 'S /a:/b' line in
-     Dvips' 'config.ps' (*note (dvips)Config files::).
+  2. A program-specific configuration file, e.g., an ‘S /a:/b’ line in
+     Dvips' ‘config.ps’ (*note (dvips)Config files::).
 
-  3. A line in a Kpathsea configuration file 'texmf.cnf', e.g.,
-     'TEXINPUTS=/c:/d' (see below).
+  3. A line in a Kpathsea configuration file ‘texmf.cnf’, e.g.,
+     ‘TEXINPUTS=/c:/d’ (see below).
 
-  4. The compile-time default (specified in 'kpathsea/paths.h').
+  4. The compile-time default (specified in ‘kpathsea/paths.h’).
 
    You can see each of these values for a given search path by using the
 debugging options (*note Debugging::).
@@ -505,28 +549,28 @@
 5.2.1 Config files
 ------------------
 
-As mentioned above, Kpathsea reads "runtime configuration files" named
-'texmf.cnf' for search path and other definitions.  The search path used
-to look for these configuration files is named 'TEXMFCNF', and is
+As mentioned above, Kpathsea reads “runtime configuration files” named
+‘texmf.cnf’ for search path and other definitions.  The search path used
+to look for these configuration files is named ‘TEXMFCNF’, and is
 constructed in the usual way, as described above, except that
 configuration files cannot be used to define the path, naturally; also,
-an 'ls-R' database is not used to search for them.
+an ‘ls-R’ database is not used to search for them.
 
-   Kpathsea reads _all_ 'texmf.cnf' files in the search path, not just
+   Kpathsea reads _all_ ‘texmf.cnf’ files in the search path, not just
 the first one found; definitions in earlier files override those in
-later files.  Thus, if the search path is '.:$TEXMF', values from
-'./texmf.cnf' override those from '$TEXMF/texmf.cnf'.
+later files.  Thus, if the search path is ‘.:$TEXMF’, values from
+‘./texmf.cnf’ override those from ‘$TEXMF/texmf.cnf’.
 
-   If Kpathsea cannot find any 'texmf.cnf' file, it reports a warning
+   If Kpathsea cannot find any ‘texmf.cnf’ file, it reports a warning
 including all the directories it checked.  If you don't want to see this
-warning, set the environment variable 'KPATHSEA_WARNING' to the single
-character '0' (zero, not oh).
+warning, set the environment variable ‘KPATHSEA_WARNING’ to the single
+character ‘0’ (zero, not oh).
 
    While (or instead of) reading this description, you may find it
-helpful to look at the distributed 'texmf.cnf', which uses or at least
-mentions most features.  The format of 'texmf.cnf' files follows:
+helpful to look at the distributed ‘texmf.cnf’, which uses or at least
+mentions most features.  The format of ‘texmf.cnf’ files follows:
 
-   * Comments start with '%' or '#', either at the beginning of a line
+   • Comments start with ‘%’ or ‘#’, either at the beginning of a line
      or preceded by whitespace, and continue to the end of the line.
      That is, similar to most shells, a comment character in the
      "middle" of a value does not start a comment.  Examples:
@@ -534,44 +578,44 @@
           % this is a comment
           var = a%b  % but the value of var will be "a%b"
 
-   * Blank lines are ignored.
+   • Blank lines are ignored.
 
-   * A '\' at the end of a line acts as a continuation character, i.e.,
+   • A ‘\’ at the end of a line acts as a continuation character, i.e.,
      the next line is appended.  Whitespace at the beginning of
      continuation lines is not ignored.
 
-   * Each remaining line will look like:
+   • Each remaining line will look like:
 
           VARIABLE [. PROGNAME] [=] VALUE
 
-     where the '=' and surrounding whitespace is optional.
+     where the ‘=’ and surrounding whitespace is optional.
 
-   * The VARIABLE name may contain any character other than whitespace,
-     '=', or '.', but sticking to 'A-Za-z_' is safest.
+   • The VARIABLE name may contain any character other than whitespace,
+     ‘=’, or ‘.’, but sticking to ‘A-Za-z_’ is safest.
 
-   * If '.PROGNAME' is present (preceding spaces are ignored), the
+   • If ‘.PROGNAME’ is present (preceding spaces are ignored), the
      definition only applies if the program that is running is named
-     (i.e., the last component of 'argv[0]' is) PROGNAME or
-     'PROGNAME.{exe,bat,cmd,...}'.  Most notably, this allows different
+     (i.e., the last component of ‘argv[0]’ is) PROGNAME or
+     ‘PROGNAME.{exe,bat,cmd,...}’.  Most notably, this allows different
      flavors of TeX to have different search paths.  The PROGNAME value
      is used literally, without variable or other expansions.
 
-   * Considered as strings, VALUE may contain any character.  However,
-     in practice most 'texmf.cnf' values are related to path expansion,
+   • Considered as strings, VALUE may contain any character.  However,
+     in practice most ‘texmf.cnf’ values are related to path expansion,
      and since various special characters are used in expansion, such as
      braces and commas, they cannot be used in directory names.
 
-     The '$VAR.PROG' feature is not available on the right-hand side;
+     The ‘$VAR.PROG’ feature is not available on the right-hand side;
      instead, you must use an additional variable (see below for
      example).
 
-     A ';' in VALUE is translated to ':' if running under Unix, in order
-     to have a single 'texmf.cnf' that can support both Unix and Windows
+     A ‘;’ in VALUE is translated to ‘:’ if running under Unix, in order
+     to have a single ‘texmf.cnf’ that can support both Unix and Windows
      systems.  This translation happens with any value, not just search
-     paths, but fortunately in practice ';' is not needed in other
+     paths, but fortunately in practice ‘;’ is not needed in other
      values.
 
-   * All definitions are read before anything is expanded, so you can
+   • All definitions are read before anything is expanded, so you can
      use variables before they are defined (like Make, unlike most other
      programs).
 
@@ -585,26 +629,26 @@
      TEXINPUTS.latex2e = $latex2e_inputs
      TEXINPUTS.latex = $latex2e_inputs
 
-   The combination of spaces being ignored before the '.' of a program
-name qualifer and the optional '=' for the assignment has an unexpected
-consequence: if the value begins with a literal '.' and the '=' is
+   The combination of spaces being ignored before the ‘.’ of a program
+name qualifer and the optional ‘=’ for the assignment has an unexpected
+consequence: if the value begins with a literal ‘.’ and the ‘=’ is
 omitted, the intended value is interpreted as a program name.  For
-example, a line 'var .;/some/path' is taken as an empty value for 'var'
-running under the program named ';/some/path'.  To diagnose this,
+example, a line ‘var .;/some/path’ is taken as an empty value for ‘var’
+running under the program named ‘;/some/path’.  To diagnose this,
 Kpathsea warns if the program name contains a path separator or other
 special character.  The simplest way to avoid the problem is to use the
-'='.
+‘=’.
 
    Exactly when a character will be considered special or act as itself
 depends on the context in which it is used.  The rules are inherent in
 the multiple levels of interpretation of the configuration (parsing,
 expansion, search, ...) and so cannot be concisely stated,
-unfortunately.  There is no general escape mechanism; in particular, '\'
-is not an "escape character" in 'texmf.cnf' files.  When it comes
+unfortunately.  There is no general escape mechanism; in particular, ‘\’
+is not an "escape character" in ‘texmf.cnf’ files.  When it comes
 choosing directory names for installation, it is safest to avoid them
 all.
 
-   The implementation of all this is in 'kpathsea/cnf.c'.
+   The implementation of all this is in ‘kpathsea/cnf.c’.
 
 
 File: kpathsea.info,  Node: Path expansion,  Next: Casefolding search,  Prev: Path sources,  Up: Path searching
@@ -614,9 +658,9 @@
 
 Kpathsea recognizes certain special characters and constructions in
 search paths, similar to that in shells.  As a general example:
-'~$USER/{foo,bar}//baz' expands to all subdirectories under directories
-'foo' and 'bar' in $USER's home directory that contain a directory or
-file 'baz'.
+‘~$USER/{foo,bar}//baz’ expands to all subdirectories under directories
+‘foo’ and ‘bar’ in $USER's home directory that contain a directory or
+file ‘baz’.
 
    These expansions are explained in the sections below.
 
@@ -636,7 +680,7 @@
 -----------------------
 
 If the highest-priority search path (*note Path sources::) contains an
-"extra colon" (i.e., leading, trailing, or doubled), Kpathsea inserts at
+“extra colon” (i.e., leading, trailing, or doubled), Kpathsea inserts at
 that point the next-highest-priority search path that is defined.  If
 that inserted path has an extra colon, the same happens with the
 next-highest.  (An extra colon in the compile-time default value has
@@ -646,7 +690,7 @@
 
      setenv TEXINPUTS /home/karl:
 
-and a 'TEXINPUTS' value from 'texmf.cnf' of
+and a ‘TEXINPUTS’ value from ‘texmf.cnf’ of
 
      .:$TEXMF//tex
 
@@ -656,7 +700,7 @@
 
    Put another way, default expansion works on "formats" (search paths),
 and not directly on environment variables.  Example, showing the
-trailing ':' ignored in the first case and expanded in the second:
+trailing ‘:’ ignored in the first case and expanded in the second:
 
      $ env TTFONTS=/tmp: kpsewhich --expand-path '$TTFONTS'
      /tmp
@@ -664,21 +708,21 @@
      /tmp:.:/home/olaf/texmf/fonts/truetype//:...
 
    Since Kpathsea looks for multiple configuration files, it would be
-natural to expect that (for example) an extra colon in './texmf.cnf'
-would expand to the path in '$TEXMF/texmf.cnf'.  Or, with Dvips'
-configuration files, that an extra colon in 'config.$PRINTER' would
-expand to the path in 'config.ps'.  This doesn't happen.  It's not clear
+natural to expect that (for example) an extra colon in ‘./texmf.cnf’
+would expand to the path in ‘$TEXMF/texmf.cnf’.  Or, with Dvips'
+configuration files, that an extra colon in ‘config.$PRINTER’ would
+expand to the path in ‘config.ps’.  This doesn't happen.  It's not clear
 this would be desirable in all cases, and trying to devise a way to
 specify the path to which the extra colon should expand seemed truly
 baroque.
 
    Technicality: Since it would be useless to insert the default value
-in more than one place, Kpathsea changes only one extra ':' and leaves
+in more than one place, Kpathsea changes only one extra ‘:’ and leaves
 any others in place (they will eventually be ignored).  Kpathsea checks
-first for a leading ':', then a trailing ':', then a doubled ':'.
+first for a leading ‘:’, then a trailing ‘:’, then a doubled ‘:’.
 
    You can trace this by debugging "paths" (*note Debugging::).  Default
-expansion is implemented in the source file 'kpathsea/kdefault.c'.
+expansion is implemented in the source file ‘kpathsea/kdefault.c’.
 
 
 File: kpathsea.info,  Node: Variable expansion,  Next: Tilde expansion,  Prev: Default expansion,  Up: Path expansion
@@ -686,34 +730,34 @@
 5.3.2 Variable expansion
 ------------------------
 
-'$foo' or '${foo}' in a path element is replaced by (1) the value of an
-environment variable 'foo' (if defined); (2) the value of 'foo' from
-'texmf.cnf' (if defined); (3) the empty string.
+‘$foo’ or ‘${foo}’ in a path element is replaced by (1) the value of an
+environment variable ‘foo’ (if defined); (2) the value of ‘foo’ from
+‘texmf.cnf’ (if defined); (3) the empty string.
 
-   If the character after the '$' is alphanumeric or '_', the variable
+   If the character after the ‘$’ is alphanumeric or ‘_’, the variable
 name consists of all consecutive such characters.  If the character
-after the '$' is a '{', the variable name consists of everything up to
-the next '}' (braces may not be nested around variable names).
-Otherwise, Kpathsea gives a warning and ignores the '$' and its
+after the ‘$’ is a ‘{’, the variable name consists of everything up to
+the next ‘}’ (braces may not be nested around variable names).
+Otherwise, Kpathsea gives a warning and ignores the ‘$’ and its
 following character.
 
    You must quote the $'s and braces as necessary for your shell.
 _Shell_ variable values cannot be seen by Kpathsea, i.e., ones defined
-by 'set' in C shells and without 'export' in Bourne shells.
+by ‘set’ in C shells and without ‘export’ in Bourne shells.
 
    For example, given
      setenv tex /home/texmf
      setenv TEXINPUTS .:$tex:${tex}prev
-the final 'TEXINPUTS' path is the three directories:
+the final ‘TEXINPUTS’ path is the three directories:
      .:/home/texmf:/home/texmfprev
 
-   The '.PROGNAME' suffix on variables and '_PROGNAME' on environment
+   The ‘.PROGNAME’ suffix on variables and ‘_PROGNAME’ on environment
 variable names are not implemented for general variable expansions.
 These are only recognized when search paths are initialized (*note Path
 sources::).
 
    Variable expansion is implemented in the source file
-'kpathsea/variable.c'.
+‘kpathsea/variable.c’.
 
 
 File: kpathsea.info,  Node: Tilde expansion,  Next: Brace expansion,  Prev: Variable expansion,  Up: Path expansion
@@ -721,26 +765,26 @@
 5.3.3 Tilde expansion
 ---------------------
 
-A leading '~' in a path element is replaced by the value of the
-environment variable 'HOME', or '.' if 'HOME' is not set.  On Windows,
-the environment variable 'USERPROFILE' is checked instead of 'HOME'.
+A leading ‘~’ in a path element is replaced by the value of the
+environment variable ‘HOME’, or ‘.’ if ‘HOME’ is not set.  On Windows,
+the environment variable ‘USERPROFILE’ is checked instead of ‘HOME’.
 
-   A leading '~USER' in a path element is replaced by USER's home
-directory from the system 'passwd' database.
+   A leading ‘~USER’ in a path element is replaced by USER's home
+directory from the system ‘passwd’ database.
 
    For example,
      setenv TEXINPUTS ~/mymacros:
 
-will prepend a directory 'mymacros' in your home directory to the
+will prepend a directory ‘mymacros’ in your home directory to the
 default path.
 
-   As a special case, if a home directory ends in '/', the trailing
-slash is dropped, to avoid inadvertently creating a '//' construct in
-the path.  For example, if the home directory of the user 'root' is '/',
-the path element '~root/mymacros' expands to just '/mymacros', not
-'//mymacros'.
+   As a special case, if a home directory ends in ‘/’, the trailing
+slash is dropped, to avoid inadvertently creating a ‘//’ construct in
+the path.  For example, if the home directory of the user ‘root’ is ‘/’,
+the path element ‘~root/mymacros’ expands to just ‘/mymacros’, not
+‘//mymacros’.
 
-   Tilde expansion is implemented in the source file 'kpathsea/tilde.c'.
+   Tilde expansion is implemented in the source file ‘kpathsea/tilde.c’.
 
 
 File: kpathsea.info,  Node: Brace expansion,  Next: KPSE_DOT expansion,  Prev: Tilde expansion,  Up: Path expansion
@@ -748,38 +792,38 @@
 5.3.4 Brace expansion
 ---------------------
 
-'x{A,B}y' expands to 'xAy:xBy'.  For example:
+‘x{A,B}y’ expands to ‘xAy:xBy’.  For example:
 
      foo/{1,2}/baz
 
-expands to 'foo/1/baz:foo/2/baz'.  ':' is the path separator on the
-current system; e.g., on a Windows system, it's ';'.
+expands to ‘foo/1/baz:foo/2/baz’.  ‘:’ is the path separator on the
+current system; e.g., on a Windows system, it's ‘;’.
 
-   Braces can be nested; for example, 'x{A,B{1,2}}y' expands to
-'xAy:xB1y:xB2y'.
+   Braces can be nested; for example, ‘x{A,B{1,2}}y’ expands to
+‘xAy:xB1y:xB2y’.
 
    Multiple non-nested braces are expanded from right to left; for
-example, 'x{A,B}{1,2}y' expands to 'x{A,B}1y:x{A,B}2y', which expands to
-'xA1y:xB1y:xA2y:xB2y'.
+example, ‘x{A,B}{1,2}y’ expands to ‘x{A,B}1y:x{A,B}2y’, which expands to
+‘xA1y:xB1y:xA2y:xB2y’.
 
    This feature can be used to implement multiple TeX hierarchies, by
-assigning a brace list to '$TEXMF', as mentioned in 'texmf.in'.
+assigning a brace list to ‘$TEXMF’, as mentioned in ‘texmf.in’.
 
    You can also use the path separator instead of the comma.  The last
-example could have been written 'x{A:B}{1:2}y' (on Unix).
+example could have been written ‘x{A:B}{1:2}y’ (on Unix).
 
    Brace expansion is implemented in the source file
-'kpathsea/expand.c'.
+‘kpathsea/expand.c’.
 
 
 File: kpathsea.info,  Node: KPSE_DOT expansion,  Next: Subdirectory expansion,  Prev: Brace expansion,  Up: Path expansion
 
-5.3.5 'KPSE_DOT' expansion
+5.3.5 ‘KPSE_DOT’ expansion
 --------------------------
 
-When 'KPSE_DOT' is defined in the environment, it names a directory that
+When ‘KPSE_DOT’ is defined in the environment, it names a directory that
 should be considered the current directory for the purpose of looking up
-files in the search paths.  This feature is needed by the 'mktex...'
+files in the search paths.  This feature is needed by the ‘mktex...’
 scripts *note mktex scripts::, because these change the working
 directory.  You should not ever define it yourself.
 
@@ -795,14 +839,14 @@
 each level, the order in which the directories are searched is
 unspecified.  (It's "directory order", and definitely not alphabetical.)
 
-   If you specify any filename components after the '//', only
+   If you specify any filename components after the ‘//’, only
 subdirectories which match those components are included.  For example,
-'/a//b' would expand into directories '/a/1/b', '/a/2/b', '/a/1/1/b',
-and so on, but not '/a/b/c' or '/a/1'.
+‘/a//b’ would expand into directories ‘/a/1/b’, ‘/a/2/b’, ‘/a/1/1/b’,
+and so on, but not ‘/a/b/c’ or ‘/a/1’.
 
-   You can include multiple '//' constructs in the path.
+   You can include multiple ‘//’ constructs in the path.
 
-   '//' at the beginning of a path is ignored; you didn't really want to
+   ‘//’ at the beginning of a path is ignored; you didn't really want to
 search every directory on the system, did you?
 
    I should mention one related implementation trick, which I took from
@@ -811,28 +855,28 @@
 
    The trick is that in every real Unix implementation (as opposed to
 the POSIX specification), a directory which contains no subdirectories
-will have exactly two links (namely, one for '.' and one for '..').
-That is to say, the 'st_nlink' field in the 'stat' structure will be
+will have exactly two links (namely, one for ‘.’ and one for ‘..’).
+That is to say, the ‘st_nlink’ field in the ‘stat’ structure will be
 two.  Thus, we don't have to stat everything in the bottom-level (leaf)
-directories--we can just check 'st_nlink', notice it's two, and do no
+directories--we can just check ‘st_nlink’, notice it's two, and do no
 more work.
 
    But if you have a directory that contains a single subdirectory and
-500 regular files, 'st_nlink' will be 3, and Kpathsea has to stat every
+500 regular files, ‘st_nlink’ will be 3, and Kpathsea has to stat every
 one of those 501 entries.  Therein lies slowness.
 
-   You can disable the trick by undefining 'ST_NLINK_TRICK' in
-'kpathsea/config.h'.  (It is undefined by default except under Unix.)
+   You can disable the trick by undefining ‘ST_NLINK_TRICK’ in
+‘kpathsea/config.h’.  (It is undefined by default except under Unix.)
 
-   Unfortunately, in some cases files in leaf directories are 'stat''d:
-if the path specification is, say, '$TEXMF/fonts//pk//', then files in a
-subdirectory '.../pk', even if it is a leaf, are checked.  The reason
+   Unfortunately, in some cases files in leaf directories are ‘stat’'d:
+if the path specification is, say, ‘$TEXMF/fonts//pk//’, then files in a
+subdirectory ‘.../pk’, even if it is a leaf, are checked.  The reason
 cannot be explained without reference to the implementation, so read
-'kpathsea/elt-dirs.c' (search for 'may descend') if you are curious.
+‘kpathsea/elt-dirs.c’ (search for ‘may descend’) if you are curious.
 And if you find a way to solve the problem, please let me know.
 
    Subdirectory expansion is implemented in the source file
-'kpathsea/elt-dirs.c'.
+‘kpathsea/elt-dirs.c’.
 
 
 File: kpathsea.info,  Node: Casefolding search,  Next: Filename database,  Prev: Path expansion,  Up: Path searching
@@ -847,8 +891,8 @@
 for a case-insensitive match.
 
    This is enabled at compile-time on Unix systems, and enabled at
-runtime by setting the configuration variable 'texmf_casefold_search',
-to a true value, e.g., '1'; this is done by default in TeX Live.
+runtime by setting the configuration variable ‘texmf_casefold_search’,
+to a true value, e.g., ‘1’; this is done by default in TeX Live.
 
 * Menu:
 
@@ -866,7 +910,7 @@
 ones.  In particular, Apple decided to make the default filesystem on
 Macs be case-insensitive some years ago, and this has exacerbated a
 problem of people creating documents that use, say, an image under the
-name 'foo.jpg', while the actual file is named 'foo.JPG' or 'Foo.jpg'.
+name ‘foo.jpg’, while the actual file is named ‘foo.JPG’ or ‘Foo.jpg’.
 It works on the Mac but if the document is transferred and run on a
 standard case-sensitive Unix (file)system, the file can't be found, due
 only to differences in case.
@@ -902,58 +946,58 @@
 
    If it's desirable in a given situation to have the exact same search
 behavior as previously, that can be accomplished by setting the
-configuration variable 'texmf_casefold_search' to '0' (*note Path
+configuration variable ‘texmf_casefold_search’ to ‘0’ (*note Path
 sources::).
 
    Some examples to illustrate the new behavior follow.
 
-   Example #1: suppose the file './foobar.tex' exists.  Now, searching
-for './FooBar.TeX' (or any other case variation) will succeed, returning
-'./foobar.tex'--the name as stored on disk.  In previous releases, or if
-'texmf_casefold_search' is false, the search would fail.
+   Example #1: suppose the file ‘./foobar.tex’ exists.  Now, searching
+for ‘./FooBar.TeX’ (or any other case variation) will succeed, returning
+‘./foobar.tex’--the name as stored on disk.  In previous releases, or if
+‘texmf_casefold_search’ is false, the search would fail.
 
    Example #2: suppose we are using a case-sensitive (file)system, and
-the search path is '.:/somedir', and the files './foobar.tex' and
-'/somedir/FooBar.TeX' both exist.  Both now and previously, searching
-for 'foobar.tex' returns './foobar.tex'.  However, searching for
-'FooBar.TeX' now returns './foobar.tex' instead of
-'/somedir/FooBar.TeX'; this is the incompatibility mentioned above.
-Also (as expected), searching for 'FOOBAR.TEX' (or whatever variation)
-will now return './foobar.tex', whereas before it would fail.  Searching
-for all ('kpsewhich --all') 'foobar.tex' will return both matches.
+the search path is ‘.:/somedir’, and the files ‘./foobar.tex’ and
+‘/somedir/FooBar.TeX’ both exist.  Both now and previously, searching
+for ‘foobar.tex’ returns ‘./foobar.tex’.  However, searching for
+‘FooBar.TeX’ now returns ‘./foobar.tex’ instead of
+‘/somedir/FooBar.TeX’; this is the incompatibility mentioned above.
+Also (as expected), searching for ‘FOOBAR.TEX’ (or whatever variation)
+will now return ‘./foobar.tex’, whereas before it would fail.  Searching
+for all (‘kpsewhich --all’) ‘foobar.tex’ will return both matches.
 
    Example #3: same as example #2, but on a case-insensitive
-(file)system: both now and previously, searching for 'FooBar.TeX'
-returns './foobar.tex', since the system considers that a match.  The
+(file)system: both now and previously, searching for ‘FooBar.TeX’
+returns ‘./foobar.tex’, since the system considers that a match.  The
 Kpathsea casefolding never comes into play.
 
    Example #4: if we have (on a case-sensitive system) both
-'./foobar.tex' and './FOOBAR.TEX', searching with the exact case returns
-that exact match, now and previously.  Searching for 'FooBar.tex' will
+‘./foobar.tex’ and ‘./FOOBAR.TEX’, searching with the exact case returns
+that exact match, now and previously.  Searching for ‘FooBar.tex’ will
 now return one or the other (chosen arbitrarily), rather than failing.
-Perhaps unexpectedly, searching for all 'foobar.tex' or 'FooBar.tex'
+Perhaps unexpectedly, searching for all ‘foobar.tex’ or ‘FooBar.tex’
 will also return only one or the other, not both (see more below).
 
-   Example #5: the font file 'STIX-Regular.otf' is included in TeX Live
-in the system directory 'texmf-dist/fonts/opentype/public/stix'.
+   Example #5: the font file ‘STIX-Regular.otf’ is included in TeX Live
+in the system directory ‘texmf-dist/fonts/opentype/public/stix’.
 Because Kpathsea never searches the disk in the big system directory,
-the casefolding is not done, and a search for 'stix-regular.otf' will
+the casefolding is not done, and a search for ‘stix-regular.otf’ will
 fail (on case-sensitive systems), as it always has.
 
    The caveat about not searching the disk amounts to saying that
-casefolding does not happen in the trees specified with '!!' (*note
-ls-R::), that is, where only database ('ls-R') searching is done.  In
-TeX Live, that is the 'texmf-local' and 'texmf-dist' trees (also
-'$TEXMFSYSCONFIG' and '$TEXMFSYSVAR', but those are rarely noticed).
+casefolding does not happen in the trees specified with ‘!!’ (*note
+ls-R::), that is, where only database (‘ls-R’) searching is done.  In
+TeX Live, that is the ‘texmf-local’ and ‘texmf-dist’ trees (also
+‘$TEXMFSYSCONFIG’ and ‘$TEXMFSYSVAR’, but those are rarely noticed).
 The rationale for this is that in practice, case mangling happens with
 user-created files, not with packages distributed as part of the TeX
 system.
 
-   One more caveat: the purpose of 'kpsewhich' is to exercise the path
+   One more caveat: the purpose of ‘kpsewhich’ is to exercise the path
 searching in Kpathsea as it is actually done.  Therefore, as shown
-above, 'kpsewhich --all' will not return all matches regardless of case
+above, ‘kpsewhich --all’ will not return all matches regardless of case
 within a given path element.  If you want to find all matches in all
-directories, 'find' is the best tool, although the setup takes a couple
+directories, ‘find’ is the best tool, although the setup takes a couple
 steps:
 
      kpsewhich -show-path=tex >/tmp/texpath      # search path specification
@@ -963,21 +1007,21 @@
 
    Sorry that it's annoyingly lengthy, but implementing this inside
 Kpathsea would be a lot of error-prone trouble for something that is
-only useful for debugging.  If your 'find' does not support '-iname',
+only useful for debugging.  If your ‘find’ does not support ‘-iname’,
 you can get GNU Find from <https://gnu.org/software/findutils>.
 
    The casefolding search is implemented in the source file
-'kpathsea/pathsearch.c'.  Two implementation points:
+‘kpathsea/pathsearch.c’.  Two implementation points:
 
-   * Kpathsea never tries to check if a given directory resides on a
+   • Kpathsea never tries to check if a given directory resides on a
      case-insensitive filesystem, because there is no efficient and
      portable way to do so.  All it does is try to see if a potential
-     file name is a readable normal file (with, usually, the 'access'
+     file name is a readable normal file (with, usually, the ‘access’
      system call).
 
-   * Kpathsea does not do any case-insensitive matching of the
+   • Kpathsea does not do any case-insensitive matching of the
      directories along the path.  It's not going to find
-     '/Some/Random/file.tex' when looking for '/some/random/file.tex'.
+     ‘/Some/Random/file.tex’ when looking for ‘/some/random/file.tex’.
      The casefolding only happens with the elements of the leaf
      directory.
 
@@ -984,7 +1028,7 @@
 
 File: kpathsea.info,  Node: Filename database,  Next: Invoking kpsewhich,  Prev: Casefolding search,  Up: Path searching
 
-5.5 Filename database ('ls-R')
+5.5 Filename database (‘ls-R’)
 ==============================
 
 Kpathsea goes to some lengths to minimize disk accesses for searches
@@ -992,15 +1036,15 @@
 every possible directory in typical TeX installations takes an
 excessively long time.
 
-   Therefore, Kpathsea can use an externally-built "filename database"
-file named 'ls-R' that maps files to directories, thus avoiding the need
+   Therefore, Kpathsea can use an externally-built “filename database”
+file named ‘ls-R’ that maps files to directories, thus avoiding the need
 to exhaustively search the disk.
 
-   A second database file 'aliases' allows you to give additional names
-to the files listed in 'ls-R'.
+   A second database file ‘aliases’ allows you to give additional names
+to the files listed in ‘ls-R’.
 
-   The 'ls-R' and 'aliases' features are implemented in the source file
-'kpathsea/db.c'.
+   The ‘ls-R’ and ‘aliases’ features are implemented in the source file
+‘kpathsea/db.c’.
 
 * Menu:
 
@@ -1011,77 +1055,77 @@
 
 File: kpathsea.info,  Node: ls-R,  Next: Filename aliases,  Up: Filename database
 
-5.5.1 'ls-R'
+5.5.1 ‘ls-R’
 ------------
 
-As mentioned above, you must name the main filename database 'ls-R'.
+As mentioned above, you must name the main filename database ‘ls-R’.
 You can put one at the root of each TeX installation hierarchy you wish
-to search ('$TEXMF' by default, which expands to a braced list of
+to search (‘$TEXMF’ by default, which expands to a braced list of
 several hierarchies in TeX Live).
 
-   Kpathsea looks for 'ls-R' files along the 'TEXMFDBS' path.  It is
-best for this to contain all and only those hierarchies from '$TEXMF'
-which are specified with '!!'--and also to specify them with '!!' in
-'TEXMFDBS'.  (See the end of this section for more on '!!'.)
+   Kpathsea looks for ‘ls-R’ files along the ‘TEXMFDBS’ path.  It is
+best for this to contain all and only those hierarchies from ‘$TEXMF’
+which are specified with ‘!!’--and also to specify them with ‘!!’ in
+‘TEXMFDBS’.  (See the end of this section for more on ‘!!’.)
 
-   The recommended way to create and maintain 'ls-R' is to run the
-'mktexlsr' script, which is installed in '$(bindir)' ('/usr/local/bin'
+   The recommended way to create and maintain ‘ls-R’ is to run the
+‘mktexlsr’ script, which is installed in ‘$(bindir)’ (‘/usr/local/bin’
 by default).  That script goes to some trouble to follow symbolic links
-as necessary, etc.  It's also invoked by the distributed 'mktex...'
+as necessary, etc.  It's also invoked by the distributed ‘mktex...’
 scripts.
 
-   At its simplest, though, you can build 'ls-R' with the command
+   At its simplest, though, you can build ‘ls-R’ with the command
      cd /YOUR/TEXMF/ROOT && ls -LAR ./ >ls-R
 
-presuming your 'ls' produces the right output format (see the section
-below).  GNU 'ls', for example, outputs in this format.  Also presuming
-your 'ls' hasn't been aliased in a system file (e.g., '/etc/profile') to
-something problematic, e.g., 'ls --color=tty'.  In that case, you will
-have to disable the alias before generating 'ls-R'.  For the precise
+presuming your ‘ls’ produces the right output format (see the section
+below).  GNU ‘ls’, for example, outputs in this format.  Also presuming
+your ‘ls’ hasn't been aliased in a system file (e.g., ‘/etc/profile’) to
+something problematic, e.g., ‘ls --color=tty’.  In that case, you will
+have to disable the alias before generating ‘ls-R’.  For the precise
 definition of the file format, see *note Database format::.
 
    Regardless of whether you use the supplied script or your own, you
-will almost certainly want to invoke it via 'cron', so when you make
+will almost certainly want to invoke it via ‘cron’, so when you make
 changes in the installed files (say if you install a new LaTeX package),
-'ls-R' will be automatically updated.  However, for those using TeX Live
-or system distributions, the package managers should run 'mktexlsr' as
+‘ls-R’ will be automatically updated.  However, for those using TeX Live
+or system distributions, the package managers should run ‘mktexlsr’ as
 needed.
 
-   The '-A' option to 'ls' includes files beginning with '.' (except for
-'.' and '..'), such as the file '.tex' included with the LaTeX tools
-package.  (On the other hand, _directories_ whose names begin with '.'
+   The ‘-A’ option to ‘ls’ includes files beginning with ‘.’ (except for
+‘.’ and ‘..’), such as the file ‘.tex’ included with the LaTeX tools
+package.  (On the other hand, _directories_ whose names begin with ‘.’
 are always ignored.)
 
-   If your system does not support symbolic links, omit the '-L'.
+   If your system does not support symbolic links, omit the ‘-L’.
 
-   'ls -LAR /YOUR/TEXMF/ROOT' will also work.  But using './' avoids
+   ‘ls -LAR /YOUR/TEXMF/ROOT’ will also work.  But using ‘./’ avoids
 embedding absolute pathnames, so the hierarchy can be easily
 transported.  It also avoids possible trouble with automounters or other
 network filesystem conventions.
 
-   Kpathsea warns you if it finds an 'ls-R' file, but the file does not
-contain any usable entries.  The usual culprit is running plain 'ls -R'
-instead of 'ls -LR ./' or 'ls -R /YOUR/TEXMF/ROOT'.  Another possibility
-is some system directory name starting with a '.' (perhaps if you are
+   Kpathsea warns you if it finds an ‘ls-R’ file, but the file does not
+contain any usable entries.  The usual culprit is running plain ‘ls -R’
+instead of ‘ls -LR ./’ or ‘ls -R /YOUR/TEXMF/ROOT’.  Another possibility
+is some system directory name starting with a ‘.’ (perhaps if you are
 using AFS); Kpathsea ignores everything under such directories.
 
-   If a particular path element begins with '!!', _only_ the database
+   If a particular path element begins with ‘!!’, _only_ the database
 will be searched for that element, never the disk; and if the database
 does not exist, nothing at all will be searched.  In TeX Live, most of
-the trees are specified with '!!'.
+the trees are specified with ‘!!’.
 
-   For path elements that do not begin with '!!', if the database
+   For path elements that do not begin with ‘!!’, if the database
 exists, it will be used, and the disk will not be searched.  However, in
 this case, if the database does not exist, the disk will be searched.
-In TeX Live, the most notable case of this is the 'TEXMFHOME' tree, to
+In TeX Live, the most notable case of this is the ‘TEXMFHOME’ tree, to
 allow users to add and remove files from their own tree without having
-to worry about 'ls-R'.
+to worry about ‘ls-R’.
 
-   (Aside: there are uncommon cases where a '!!' tree will be searched
-on disk even if the 'ls-R' file exists; they are too obscure to try to
-explain here.  See 'pathsearch.c' in the source if you need to know.)
+   (Aside: there are uncommon cases where a ‘!!’ tree will be searched
+on disk even if the ‘ls-R’ file exists; they are too obscure to try to
+explain here.  See ‘pathsearch.c’ in the source if you need to know.)
 
-   To sum up: do not create an 'ls-R' file unless you also take care to
+   To sum up: do not create an ‘ls-R’ file unless you also take care to
 keep it up to date.  Otherwise newly-installed files will not be found.
 
 
@@ -1092,24 +1136,24 @@
 
 In some circumstances, you may wish to find a file under several names.
 For example, suppose a TeX document was created using a DOS system and
-tries to read 'longtabl.sty'.  But now it's being run on a Unix system,
-and the file has its original name, 'longtable.sty'.  The file won't be
-found.  You need to give the actual file 'longtable.sty' an alias
-'longtabl.sty'.
+tries to read ‘longtabl.sty’.  But now it's being run on a Unix system,
+and the file has its original name, ‘longtable.sty’.  The file won't be
+found.  You need to give the actual file ‘longtable.sty’ an alias
+‘longtabl.sty’.
 
-   You can handle this by creating a file 'aliases' as a companion to
-the 'ls-R' for the hierarchy containing the file in question.  (You must
-have an 'ls-R' for the alias feature to work.)
+   You can handle this by creating a file ‘aliases’ as a companion to
+the ‘ls-R’ for the hierarchy containing the file in question.  (You must
+have an ‘ls-R’ for the alias feature to work.)
 
-   The format of 'aliases' is simple: two whitespace-separated words per
-line; the first is the real name 'longtable.sty', and second is the
-alias ('longtabl.sty').  These must be base filenames, with no directory
-components.  'longtable.sty' must be in the sibling 'ls-R'.
+   The format of ‘aliases’ is simple: two whitespace-separated words per
+line; the first is the real name ‘longtable.sty’, and second is the
+alias (‘longtabl.sty’).  These must be base filenames, with no directory
+components.  ‘longtable.sty’ must be in the sibling ‘ls-R’.
 
-   Also, blank lines and lines starting with '%' or '#' are ignored in
-'aliases', to allow for comments.
+   Also, blank lines and lines starting with ‘%’ or ‘#’ are ignored in
+‘aliases’, to allow for comments.
 
-   If a real file 'longtabl.sty' exists, it is used regardless of any
+   If a real file ‘longtabl.sty’ exists, it is used regardless of any
 aliases.
 
 
@@ -1119,21 +1163,21 @@
 ---------------------
 
 The "database" read by Kpathsea is a line-oriented file of plain text.
-The format is that generated by GNU (and most other) 'ls' programs given
-the '-R' option, as follows.
+The format is that generated by GNU (and most other) ‘ls’ programs given
+the ‘-R’ option, as follows.
 
-   * Blank lines are ignored.
+   • Blank lines are ignored.
 
-   * If a line begins with '/' or './' or '../' and ends with a colon,
-     it's the name of a directory.  ('../' lines aren't useful, however,
+   • If a line begins with ‘/’ or ‘./’ or ‘../’ and ends with a colon,
+     it's the name of a directory.  (‘../’ lines aren't useful, however,
      and should not be generated.)
 
-   * All other lines define entries in the most recently seen directory.
+   • All other lines define entries in the most recently seen directory.
      /'s in such lines will produce possibly-strange results.
 
-   * Files with no preceding directory line are ignored.
+   • Files with no preceding directory line are ignored.
 
-   For example, here's the first few lines of 'ls-R' (which totals about
+   For example, here's the first few lines of ‘ls-R’ (which totals about
 30K bytes) on my system:
 
      bibtex
@@ -1158,14 +1202,14 @@
 
 File: kpathsea.info,  Node: Invoking kpsewhich,  Prev: Filename database,  Up: Path searching
 
-5.6 'kpsewhich': Standalone path searching
+5.6 ‘kpsewhich’: Standalone path searching
 ==========================================
 
 The Kpsewhich program exercises the path searching functionality
 independent of any particular application.  This can also be useful as a
-sort of 'find' program to locate files in your TeX hierarchies, perhaps
+sort of ‘find’ program to locate files in your TeX hierarchies, perhaps
 in administrative scripts.  It is used heavily in the distributed
-'mktex...' scripts.
+‘mktex...’ scripts.
 
    Synopsis:
 
@@ -1172,7 +1216,7 @@
      kpsewhich OPTION... FILENAME...
 
    The options and filename(s) to look up can be intermixed.  Options
-can start with either '-' or '--', and any unambiguous abbreviation is
+can start with either ‘-’ or ‘--’, and any unambiguous abbreviation is
 accepted.
 
 * Menu:
@@ -1180,7 +1224,7 @@
 * Path searching options::      Changing the mode, resolution, etc.
 * Specially-recognized files::  Default formats for texmf.cnf, etc.
 * Auxiliary tasks::             Path and variable expansion, etc.
-* Standard options::            '--help' and '--version'.
+* Standard options::            ‘--help’ and ‘--version’.
 
 
 File: kpathsea.info,  Node: Path searching options,  Next: Specially-recognized files,  Up: Invoking kpsewhich
@@ -1193,73 +1237,73 @@
 
    Various options alter the path searching behavior:
 
-'--all'
+‘--all’
      Report all matches found, one per line.  By default, if there is
      more than one match, just one will be reported (chosen effectively
-     at random).  Exception: with the glyph formats ('pk', 'gf'), this
+     at random).  Exception: with the glyph formats (‘pk’, ‘gf’), this
      option has no effect and only the first match is returned.
 
-'--casefold-search'
-'--no-casefold-search'
+‘--casefold-search’
+‘--no-casefold-search’
      Explicitly enable or disable the fallback to a case-insensitive
      search on Unix platforms (*note Casefolding search::); no effect on
-     Windows.  The default is enabled, set in 'texmf.cnf'.  Disabling
-     ('--no-casefold-search') does not mean that searches magically
+     Windows.  The default is enabled, set in ‘texmf.cnf’.  Disabling
+     (‘--no-casefold-search’) does not mean that searches magically
      become case-sensitive when the underlying (file)system is
      case-insensitive, it merely means that Kpathsea does not do any
      casefolding itself.
 
-'--cnf-line=STR'
-     Parse STR as if it were a line in the 'texmf.cnf' configuration
+‘--cnf-line=STR’
+     Parse STR as if it were a line in the ‘texmf.cnf’ configuration
      file (*note Config files::), overriding settings in the actual
      configuration files, and also in the environment (*note Path
      sources::).  This is implemented by making any settings from STR in
      the environment, overwriting any value already there.  Thus, an
-     extra colon in a '--cnf-line' value will refer to the value from a
+     extra colon in a ‘--cnf-line’ value will refer to the value from a
      configuration file, not a user-set environment variable.
 
      Furthermore, any variable set from STR will also be set with the
-     program name suffix.  For example, 'pdftex
-     --cnf-line=TEXINPUTS=/foo:' will set both 'TEXINPUTS' and
-     'TEXINPUTS_pdftex' in the environment (and the value will be '/foo'
-     followed by the setting from 'texmf.cnf', ignoring any user-set
-     'TEXINPUTS').
+     program name suffix.  For example, ‘pdftex
+     --cnf-line=TEXINPUTS=/foo:’ will set both ‘TEXINPUTS’ and
+     ‘TEXINPUTS_pdftex’ in the environment (and the value will be ‘/foo’
+     followed by the setting from ‘texmf.cnf’, ignoring any user-set
+     ‘TEXINPUTS’).
 
      This behavior is desirable because, in practice, many variables in
-     the distributed 'texmf.cnf' are program-specific, and the intuitive
-     behavior is for values set on the command line with '--cnf-line' to
+     the distributed ‘texmf.cnf’ are program-specific, and the intuitive
+     behavior is for values set on the command line with ‘--cnf-line’ to
      override them.
 
-'--dpi=NUM'
-     Set the resolution to NUM; this only affects 'gf' and 'pk' lookups.
-     '-D' is a synonym, for compatibility with Dvips.  Default is 600.
+‘--dpi=NUM’
+     Set the resolution to NUM; this only affects ‘gf’ and ‘pk’ lookups.
+     ‘-D’ is a synonym, for compatibility with Dvips.  Default is 600.
 
-'--engine=NAME'
+‘--engine=NAME’
      Set the engine name to NAME.  By default it is not set in
-     'kpsewhich' (TeX engines set it to the appropriate string).  The
+     ‘kpsewhich’ (TeX engines set it to the appropriate string).  The
      engine name is used in some search paths to allow files with the
      same name but used by different engines to coexist.
 
-     In particular, since the memory dump files ('.fmt'/'.base'/'.mem')
-     are now stored in subdirectories named for the engine ('tex',
-     'pdftex', 'xetex', etc.), you must specify an engine name in order
-     to find them.  For example, 'cont-en.fmt' typically exists for both
-     'pdftex' and 'xetex'.  With the default path settings, you can use
-     '--engine=/' to look for any dump file, regardless of engine; if a
+     In particular, since the memory dump files (‘.fmt’/‘.base’/‘.mem’)
+     are now stored in subdirectories named for the engine (‘tex’,
+     ‘pdftex’, ‘xetex’, etc.), you must specify an engine name in order
+     to find them.  For example, ‘cont-en.fmt’ typically exists for both
+     ‘pdftex’ and ‘xetex’.  With the default path settings, you can use
+     ‘--engine=/’ to look for any dump file, regardless of engine; if a
      dump file exists for more than one engine, it's indeterminate which
-     one is returned.  (The '/' ends up specifying a normal recursive
+     one is returned.  (The ‘/’ ends up specifying a normal recursive
      search along the path where the dumps are stored, namely
-     '$TEXMF/web2c{/$engine,}'.)
+     ‘$TEXMF/web2c{/$engine,}’.)
 
-'--format=NAME'
+‘--format=NAME’
      Set the format for lookup to NAME.  By default, the format is
-     guessed from the filename, with 'tex' being used if nothing else
+     guessed from the filename, with ‘tex’ being used if nothing else
      fits.  The recognized filename extensions (including any leading
-     '.') are also allowable NAMEs.
+     ‘.’) are also allowable NAMEs.
 
      All formats also have a name, which is the only way to specify
      formats with no associated suffix.  For example, for Dvips
-     configuration files you can use '--format="dvips config"'.  (The
+     configuration files you can use ‘--format="dvips config"’.  (The
      quotes are for the sake of the shell.)
 
      Here's the current list of recognized names and the associated
@@ -1267,7 +1311,7 @@
      each of these.
 
      The strings in parentheses are abbreviations recognized only by
-     'kpsewhich' (not the underlying library calls).  They are provided
+     ‘kpsewhich’ (not the underlying library calls).  They are provided
      when it would otherwise require an argument containing a space to
      specify the format, to simplify quoting of calls from shells.
 
@@ -1331,43 +1375,43 @@
           ris: .ris
           bltxml: .bltxml
 
-     This option and '--path' are mutually exclusive.
+     This option and ‘--path’ are mutually exclusive.
 
-'--interactive'
+‘--interactive’
      After processing the command line, read additional filenames to
      look up from standard input.
 
-'--mktex=FILETYPE'
-'--no-mktex=FILETYPE'
-     Turn on or off the 'mktex' script associated with FILETYPE.  Usual
-     values for FILETYPE are 'pk', 'mf', 'tex', and 'tfm'.  By default,
+‘--mktex=FILETYPE’
+‘--no-mktex=FILETYPE’
+     Turn on or off the ‘mktex’ script associated with FILETYPE.  Usual
+     values for FILETYPE are ‘pk’, ‘mf’, ‘tex’, and ‘tfm’.  By default,
      all are off in Kpsewhich, even if they are enabled for TeX.  This
-     option implies setting '--must-exist'.  *Note mktex scripts::.
+     option implies setting ‘--must-exist’.  *Note mktex scripts::.
 
-'--mode=STRING'
-     Set the mode name to STRING; this also only affects 'gf' and 'pk'
+‘--mode=STRING’
+     Set the mode name to STRING; this also only affects ‘gf’ and ‘pk’
      lookups.  No default: any mode will be found.  *Note mktex script
      arguments::.
 
-'--must-exist'
+‘--must-exist’
      Do everything possible to find the files, notably including
-     searching the disk and running the 'mktex' scripts.  By default,
-     only the 'ls-R' database is checked, in the interest of efficiency.
+     searching the disk and running the ‘mktex’ scripts.  By default,
+     only the ‘ls-R’ database is checked, in the interest of efficiency.
 
-'--path=STRING'
+‘--path=STRING’
      Search along the path STRING (colon-separated as usual), instead of
-     guessing the search path from the filename.  '//' and all the usual
+     guessing the search path from the filename.  ‘//’ and all the usual
      expansions are supported (*note Path expansion::).  This option and
-     '--format' are mutually exclusive.  To output the complete
+     ‘--format’ are mutually exclusive.  To output the complete
      directory expansion of a path, instead of doing a one-shot lookup,
-     see '--expand-path' and '--show-path' in the following section.
+     see ‘--expand-path’ and ‘--show-path’ in the following section.
 
-'--progname=NAME'
-     Set the program name to NAME; default is 'kpsewhich'.  This can
-     affect the search paths via the '.PROGNAM' feature in configuration
+‘--progname=NAME’
+     Set the program name to NAME; default is ‘kpsewhich’.  This can
+     affect the search paths via the ‘.PROGNAM’ feature in configuration
      files (*note Config files::).
 
-'--subdir=STRING'
+‘--subdir=STRING’
      Report only those matches whose directory part _ends_ with STRING
      (compared literally, except case is ignored on a case-insensitive
      operating system).  For example, suppose there are two matches for
@@ -1374,108 +1418,108 @@
      a given name:
 
           kpsewhich foo.sty
-          => /some/where/foo.sty
+          ⇒ /some/where/foo.sty
           /another/place/foo.sty
 
      Then we can narrow the result to what we are interested in with
-     '--subdir':
+     ‘--subdir’:
 
           kpsewhich --subdir=where foo.sty
-          => /some/where/foo.sty
+          ⇒ /some/where/foo.sty
 
           kpsewhich --subdir=place foo.sty
-          => /another/place/foo.sty
+          ⇒ /another/place/foo.sty
 
      The string to match must be at the end of the directory part of the
      match, and it is taken literally, with no pattern matching:
 
           kpsewhich --subdir=another foo.sty
-          =>
+          ⇒
 
      The string to match may cross directory components:
 
           kpsewhich --subdir=some/where foo.sty
-          => /some/where/foo.sty
+          ⇒ /some/where/foo.sty
 
-     '--subdir' implies '--all'; if there is more than one match, they
-     will all be reported (in our example, both 'where' and 'place' end
-     in 'e'):
+     ‘--subdir’ implies ‘--all’; if there is more than one match, they
+     will all be reported (in our example, both ‘where’ and ‘place’ end
+     in ‘e’):
 
           kpsewhich --subdir=e
-          => /some/where/foo.sty
+          ⇒ /some/where/foo.sty
           /another/place/foo.sty
 
-     Because of the above rules, the presence of a leading '/' is
+     Because of the above rules, the presence of a leading ‘/’ is
      important, since it "anchors" the match to a full component name:
 
           kpsewhich --subdir=/lace foo.sty
-          =>
+          ⇒
 
-     However, a trailing '/' is immaterial (and ignored), since the
+     However, a trailing ‘/’ is immaterial (and ignored), since the
      match always takes place at the end of the directory part:
 
           kpsewhich --subdir=lace/ foo.sty
-          => /another/place/foo.sty
+          ⇒ /another/place/foo.sty
 
      The purpose of these rules is to make it convenient to find results
      only within a particular area of the tree.  For instance, a given
-     script named 'foo.lua' might exist within both
-     'texmf-dist/scripts/pkg1/' and 'texmf-dist/scripts/pkg2/'.  By
-     specifying, say, '--subdir=/pkg1', you can be sure of getting the
+     script named ‘foo.lua’ might exist within both
+     ‘texmf-dist/scripts/pkg1/’ and ‘texmf-dist/scripts/pkg2/’.  By
+     specifying, say, ‘--subdir=/pkg1’, you can be sure of getting the
      one you are interested in.
 
      We only match at the end because a site might happen to install TeX
-     in '/some/coincidental/pkg1/path/', and we wouldn't want to match
-     'texmf-dist/scripts/pkg2/' that when searching for '/pkg1'.
+     in ‘/some/coincidental/pkg1/path/’, and we wouldn't want to match
+     ‘texmf-dist/scripts/pkg2/’ that when searching for ‘/pkg1’.
 
 
 File: kpathsea.info,  Node: Specially-recognized files,  Next: Auxiliary tasks,  Prev: Path searching options,  Up: Invoking kpsewhich
 
-5.6.2 Specially-recognized files for 'kpsewhich'
+5.6.2 Specially-recognized files for ‘kpsewhich’
 ------------------------------------------------
 
-'kpsewhich' recognizes a few special filenames on the command line and
+‘kpsewhich’ recognizes a few special filenames on the command line and
 defaults to using the 'known' file formats for them, merely to save the
 time and trouble of specifying the format.  This is only a feature of
-'kpsewhich'; when using the Kpathsea library itself, none of these
+‘kpsewhich’; when using the Kpathsea library itself, none of these
 special filenames are recognized, and it's still up to the caller to
 specify the desired format.
 
-   Here is the list of special filenames to 'kpsewhich', along with
+   Here is the list of special filenames to ‘kpsewhich’, along with
 their corresponding format:
 
-'config.ps'
-     'dvips config'
+‘config.ps’
+     ‘dvips config’
 
-'dvipdfmx.cfg'
-     'other text files'
+‘dvipdfmx.cfg’
+     ‘other text files’
 
-'fmtutil.cnf'
-     'web2c files'
+‘fmtutil.cnf’
+     ‘web2c files’
 
-'glyphlist.txt'
-     'map'
+‘glyphlist.txt’
+     ‘map’
 
-'mktex.cnf'
-     'web2c files'
+‘mktex.cnf’
+     ‘web2c files’
 
-'pdfglyphlist.txt'
-     'map'
+‘pdfglyphlist.txt’
+     ‘map’
 
-'pdftex.cfg'
-     'pdftex config' (although 'pdftex.cfg' is not used any more; look
-     for the file 'pdftexconfig.tex' instead.)
+‘pdftex.cfg’
+     ‘pdftex config’ (although ‘pdftex.cfg’ is not used any more; look
+     for the file ‘pdftexconfig.tex’ instead.)
 
-'texmf.cnf'
-     'cnf'
+‘texmf.cnf’
+     ‘cnf’
 
-'XDvi'
-     'other text files'
+‘XDvi’
+     ‘other text files’
 
    A user-specified format will override the above defaults.
 
    Another reference for information about TeX's many special files is
-'tcfmgr.map', found in 'texmf/texconfig/tcfmgr.map', which records
+‘tcfmgr.map’, found in ‘texmf/texconfig/tcfmgr.map’, which records
 various information about the above configuration files (among others).
 
 
@@ -1486,84 +1530,90 @@
 
 Kpsewhich provides some features in addition to path lookup as such:
 
-'--debug=NUM'
+‘--debug=NUM’
      Set debugging options to NUM.  *Note Debugging::.
 
-'--expand-braces=STRING'
+‘--expand-braces=STRING’
      Output variable, tilde, and brace expansion of STRING, which is
      assumed to be a single path element.  *Note Path expansion::.
 
-'--expand-path=STRING'
+‘--expand-path=STRING’
      Output the complete expansion of STRING, with each element
-     separated by the usual path separator on the current system (';' on
-     Windows, ':' otherwise).  This may be useful to construct a custom
+     separated by the usual path separator on the current system (‘;’ on
+     Windows, ‘:’ otherwise).  This may be useful to construct a custom
      search path for a format not otherwise supported.  To retrieve the
      search path for a format that is already supported, see
-     '--show-path'.
+     ‘--show-path’.
 
      Nonexistent directories are culled from the output:
 
           $ kpsewhich --expand-path '/tmp'
-          => /tmp
+          ⇒ /tmp
           $ kpsewhich --expand-path '/nonesuch'
-          =>
+          ⇒
 
      For one-shot uses of an arbitrary (not built in to Kpathsea) path,
-     see '--path' (*note Path searching options::).
+     see ‘--path’ (*note Path searching options::).
 
-'--expand-var=STRING'
+‘--expand-var=STRING’
      Output the variable and tilde expansion of STRING.  For example,
-     with the usual 'texmf.cnf', 'kpsewhich --expand-var='$TEXMF''
+     with the usual ‘texmf.cnf’, ‘kpsewhich --expand-var='$TEXMF'’
      returns the TeX system hierarchy root(s).  *Note Path expansion::.
      The specified STRING can contain anything, though, not just
-     variable references.  This calls 'kpse_var_expand' (*note
+     variable references.  This calls ‘kpse_var_expand’ (*note
      Programming with config files::).
 
-'--help-formats'
+‘--help-formats’
      Output information about each supported format (*note Supported
      file formats::), including the names and abbreviations, variables
      looked for, and the original path.
 
-'--safe-in-name=NAME'
-'--safe-out-name=NAME'
+‘--safe-extended-in-name=NAME’
+‘--safe-extended-out-name=NAME’
+     As with ‘--safe-in-name’ and ‘--safe-out-name’ (next item), but
+     also allow files under the variables ‘TEXMFVAR’ and ‘TEXMFSYSVAR’
+     (*note Calling sequence::).
+
+‘--safe-in-name=NAME’
+‘--safe-out-name=NAME’
      Exit successfully if NAME is safe to open for reading or writing,
-     respectively, else unsuccessfully.  No output is written.  These
+     respectively, else unsuccessfully.  No errors are output.  These
      tests take account of the related Kpathsea configuration settings
      (*note Calling sequence::).
 
-'--show-path=NAME'
+‘--show-path=NAME’
      Show the path that would be used for file lookups of file type
-     NAME.  Either a filename extension ('pk', '.vf', etc.)  or an
-     integer can be used, just as with '--format', described in the
+     NAME.  Either a filename extension (‘pk’, ‘.vf’, etc.)  or an
+     integer can be used, just as with ‘--format’, described in the
      previous section.
 
-'--var-brace-value=VARIABLE'
-     Like '--var-value' (next), but also expands '{...}' constructs.
+‘--var-brace-value=VARIABLE’
+     Like ‘--var-value’ (next), but also expands ‘{...}’ constructs.
      (*note Brace expansion::).  Thus, the value is assumed to possibly
-     be several path elements, and '~' is expanded at the beginning of
+     be several path elements, and ‘~’ is expanded at the beginning of
      each.  The path separator is changed to that of the current system
      in the expansion.
 
-     Example: 'FOO='.;~' kpsewhich --var-brace-value=FOO' outputs (on a
-     Unix-ish system) '.:/home/karl', supposing the latter is the
-     current user's home directory.  Note that the ';' in the source
-     value, as commonly used in 'texmf.cnf', has changed to a ':', as
+     Example: ‘FOO='.;~' kpsewhich --var-brace-value=FOO’ outputs (on a
+     Unix-ish system) ‘.:/home/karl’, supposing the latter is the
+     current user's home directory.  Note that the ‘;’ in the source
+     value, as commonly used in ‘texmf.cnf’, has changed to a ‘:’, as
      the normal path separator on the current system.  On a Windows-ish
-     system, the ';' would remain.
+     system, the ‘;’ would remain.
 
-'--var-value=VARIABLE'
+‘--var-value=VARIABLE’
      Outputs the value of VARIABLE (a simple identifier like
-     'TEXMFDIST', with no '$' or other constructs), expanding '$' (*note
-     Variable expansion::) and '~' (*note Tilde expansion::) constructs
-     in the value.  '~' expansion happens at the beginning of the
+     ‘TEXMFDIST’, with no ‘$’ or other constructs), expanding ‘$’ (*note
+     Variable expansion::) and ‘~’ (*note Tilde expansion::) constructs
+     in the value.  ‘~’ expansion happens at the beginning of the
      overall value and at the beginning of a variable expansion, but not
      arbitrarily within the string.  Braces are not expanded.
 
-     Example: '--var-value=texmf_casefold_search' outputs (if the
-     default is not changed) '1'.
+     Example: ‘--var-value=texmf_casefold_search’ outputs (if the
+     default is not changed) ‘1’.
 
-     Example to contrast with '--var-brace-value': 'FOO='.;~' kpsewhich
-     --var-value=FOO' outputs '.;~', i.e., the same as the input value,
+     Example to contrast with ‘--var-brace-value’: ‘FOO='.;~' kpsewhich
+     --var-value=FOO’ outputs ‘.;~’, i.e., the same as the input value,
      on all systems.
 
 
@@ -1574,10 +1624,10 @@
 
 Kpsewhich accepts the standard GNU options:
 
-   * '--help' prints a help message on standard output and exits
+   • ‘--help’ prints a help message on standard output and exits
      successfully.
 
-   * '--version' prints the Kpathsea version number and exits
+   • ‘--version’ prints the Kpathsea version number and exits
      successfully.
 
 
@@ -1601,7 +1651,7 @@
    Kpathsea provides a standard way to search for files of any of the
 supported file types; glyph fonts are a bit different than all the rest.
 Searches are based solely on names of files, not their contents--if a GF
-file is (mis)named 'cmr10.600pk', it will be found as a PK file.
+file is (mis)named ‘cmr10.600pk’, it will be found as a PK file.
 
 * Menu:
 
@@ -1624,253 +1674,253 @@
 suffixes, and/or a program to be run to create missing files on the fly.
 
    Since environment variables containing periods, such as
-'TEXINPUTS.latex', are not allowed on some systems, Kpathsea looks for
-environment variables with an underscore, e.g., 'TEXINPUTS_latex' (*note
+‘TEXINPUTS.latex’, are not allowed on some systems, Kpathsea looks for
+environment variables with an underscore, e.g., ‘TEXINPUTS_latex’ (*note
 Config files::).
 
    The following table lists the above information.  You can also get
-the list by giving the '--help-formats' option to 'kpsewhich' (*note
+the list by giving the ‘--help-formats’ option to ‘kpsewhich’ (*note
 Auxiliary tasks::).
 
-'afm'
-     (Adobe font metrics, *note (dvips)Metric files::) 'AFMFONTS';
-     suffix '.afm'.
+‘afm’
+     (Adobe font metrics, *note (dvips)Metric files::) ‘AFMFONTS’;
+     suffix ‘.afm’.
 
-'base'
-     (Metafont memory dump, *note (web2c)Memory dumps::) 'MFBASES',
-     'TEXMFINI'; suffix '.base'.
+‘base’
+     (Metafont memory dump, *note (web2c)Memory dumps::) ‘MFBASES’,
+     ‘TEXMFINI’; suffix ‘.base’.
 
-'bib'
+‘bib’
      (BibTeX bibliography source, *note (web2c)bibtex invocation::)
-     'BIBINPUTS', 'TEXBIB'; suffix '.bib'.
+     ‘BIBINPUTS’, ‘TEXBIB’; suffix ‘.bib’.
 
-'bltxml'
+‘bltxml’
      (BibLaTeXML bibliography files for Biber,
-     <https://ctan.org/pkg/biber>) 'BLTXMLINPUTS' suffix '.bltxml'.
+     <https://ctan.org/pkg/biber>) ‘BLTXMLINPUTS’ suffix ‘.bltxml’.
 
-'bst'
+‘bst’
      (BibTeX style, *note Basic BibTeX style files: (web2c)Basic BibTeX
-     style files.) 'BSTINPUTS'; suffix '.bst'.
+     style files.) ‘BSTINPUTS’; suffix ‘.bst’.
 
-'clua'
+‘clua’
      (dynamic libraries for Lua, <https://ctan.org/pkg/luatex>)
-     'CLUAINPUTS' suffixes '.dll' and '.so'.
+     ‘CLUAINPUTS’ suffixes ‘.dll’ and ‘.so’.
 
-'cmap'
-     (character map files) 'CMAPFONTS'; suffix '.cmap'.
+‘cmap’
+     (character map files) ‘CMAPFONTS’; suffix ‘.cmap’.
 
-'cnf'
-     (Runtime configuration files, *note Config files::) 'TEXMFCNF';
-     suffix '.cnf'.
+‘cnf’
+     (Runtime configuration files, *note Config files::) ‘TEXMFCNF’;
+     suffix ‘.cnf’.
 
-'cweb'
-     (CWEB input files) 'CWEBINPUTS'; suffixes '.w', '.web'; additional
-     suffix '.ch'.
+‘cweb’
+     (CWEB input files) ‘CWEBINPUTS’; suffixes ‘.w’, ‘.web’; additional
+     suffix ‘.ch’.
 
-'dvips config'
-     (Dvips 'config.*' files, such as 'config.ps', *note (dvips)Config
-     files::) 'TEXCONFIG'.
+‘dvips config’
+     (Dvips ‘config.*’ files, such as ‘config.ps’, *note (dvips)Config
+     files::) ‘TEXCONFIG’.
 
-'enc files'
-     (encoding vectors) 'ENCFONTS'; suffix '.enc'.
+‘enc files’
+     (encoding vectors) ‘ENCFONTS’; suffix ‘.enc’.
 
-'fmt'
-     (TeX memory dump, *note (web2c)Memory dumps::) 'TEXFORMATS',
-     'TEXMFINI'; suffix '.fmt'.
+‘fmt’
+     (TeX memory dump, *note (web2c)Memory dumps::) ‘TEXFORMATS’,
+     ‘TEXMFINI’; suffix ‘.fmt’.
 
-'font cid map'
-     (CJK mapping) 'FONTCIDMAPS' suffix '.cid'.
+‘font cid map’
+     (CJK mapping) ‘FONTCIDMAPS’ suffix ‘.cid’.
 
-'font feature files'
-     (primarily for OpenType font features) 'FONTFEATURES' suffix
-     '.fea'.
+‘font feature files’
+     (primarily for OpenType font features) ‘FONTFEATURES’ suffix
+     ‘.fea’.
 
-'gf'
-     (generic font bitmap, *note (dvips)Glyph files::) 'PROGRAMFONTS',
-     'GFFONTS', 'GLYPHFONTS', 'TEXFONTS'; suffix 'gf'.
+‘gf’
+     (generic font bitmap, *note (dvips)Glyph files::) ‘PROGRAMFONTS’,
+     ‘GFFONTS’, ‘GLYPHFONTS’, ‘TEXFONTS’; suffix ‘gf’.
 
-'graphic/figure'
+‘graphic/figure’
      (Encapsulated PostScript figures, *note (dvips)PostScript
-     figures::) 'TEXPICTS', 'TEXINPUTS'; additional suffixes: '.eps',
-     '.epsi'.
+     figures::) ‘TEXPICTS’, ‘TEXINPUTS’; additional suffixes: ‘.eps’,
+     ‘.epsi’.
 
-'ist'
-     (makeindex style files) 'TEXINDEXSTYLE', 'INDEXSTYLE'; suffix
-     '.ist'.
+‘ist’
+     (makeindex style files) ‘TEXINDEXSTYLE’, ‘INDEXSTYLE’; suffix
+     ‘.ist’.
 
-'lig files'
-     (ligature definition files) 'LIGFONTS'; suffix '.lig'.
+‘lig files’
+     (ligature definition files) ‘LIGFONTS’; suffix ‘.lig’.
 
-'ls-R'
-     (Filename databases, *note Filename database::) 'TEXMFDBS'.
+‘ls-R’
+     (Filename databases, *note Filename database::) ‘TEXMFDBS’.
 
-'lua'
-     (Lua scripts, <https://ctan.org/pkg/luatex>) 'LUAINPUTS' suffixes
-     '.lua', '.luatex', '.luc', '.luctex', '.texlua', '.texluc', '.tlu'.
+‘lua’
+     (Lua scripts, <https://ctan.org/pkg/luatex>) ‘LUAINPUTS’ suffixes
+     ‘.lua’, ‘.luatex’, ‘.luc’, ‘.luctex’, ‘.texlua’, ‘.texluc’, ‘.tlu’.
 
-'map'
-     (Fontmaps, *note Fontmap::) 'TEXFONTMAPS'; suffix '.map'.
+‘map’
+     (Fontmaps, *note Fontmap::) ‘TEXFONTMAPS’; suffix ‘.map’.
 
-'mem'
-     (MetaPost memory dump, *note (web2c)Memory dumps::) 'MPMEMS',
-     'TEXMFINI'; suffix '.mem'.
+‘mem’
+     (MetaPost memory dump, *note (web2c)Memory dumps::) ‘MPMEMS’,
+     ‘TEXMFINI’; suffix ‘.mem’.
 
-'MetaPost support'
+‘MetaPost support’
      (MetaPost support files, used by DMP; *note (web2c)dmp
-     invocation::) 'MPSUPPORT'.
+     invocation::) ‘MPSUPPORT’.
 
-'mf'
-     (Metafont source, *note (web2c)mf invocation::) 'MFINPUTS'; suffix
-     '.mf'; dynamic creation program: 'mktexmf'.
+‘mf’
+     (Metafont source, *note (web2c)mf invocation::) ‘MFINPUTS’; suffix
+     ‘.mf’; dynamic creation program: ‘mktexmf’.
 
-'mfpool'
+‘mfpool’
      (Metafont program strings, *note (web2c)pooltype invocation::)
-     'MFPOOL', 'TEXMFINI'; suffix '.pool'.
+     ‘MFPOOL’, ‘TEXMFINI’; suffix ‘.pool’.
 
-'mft'
-     ('MFT' style file, *note (web2c)mft invocation::) 'MFTINPUTS';
-     suffix '.mft'.
+‘mft’
+     (‘MFT’ style file, *note (web2c)mft invocation::) ‘MFTINPUTS’;
+     suffix ‘.mft’.
 
-'misc fonts'
+‘misc fonts’
      (font-related files that don't fit the other categories)
-     'MISCFONTS'
+     ‘MISCFONTS’
 
-'mlbib'
-     (MlBibTeX bibliography source) 'MLBIBINPUTS', 'BIBINPUTS',
-     'TEXBIB'; suffixes '.mlbib', '.mlbib'.
+‘mlbib’
+     (MlBibTeX bibliography source) ‘MLBIBINPUTS’, ‘BIBINPUTS’,
+     ‘TEXBIB’; suffixes ‘.mlbib’, ‘.mlbib’.
 
-'mlbst'
-     (MlBibTeX style) 'MLBSTINPUTS', 'BSTINPUTS'; suffixes '.mlbst',
-     '.bst'.
+‘mlbst’
+     (MlBibTeX style) ‘MLBSTINPUTS’, ‘BSTINPUTS’; suffixes ‘.mlbst’,
+     ‘.bst’.
 
-'mp'
-     (MetaPost source, *note (web2c)mpost invocation::) 'MPINPUTS';
-     suffix '.mp'.
+‘mp’
+     (MetaPost source, *note (web2c)mpost invocation::) ‘MPINPUTS’;
+     suffix ‘.mp’.
 
-'mppool'
+‘mppool’
      (MetaPost program strings, *note (web2c)pooltype invocation::)
-     'MPPOOL', 'TEXMFINI'; suffix '.pool'.
+     ‘MPPOOL’, ‘TEXMFINI’; suffix ‘.pool’.
 
-'ocp'
-     (Omega compiled process files) 'OCPINPUTS';
-     suffix '.ocp'; dynamic creation program: 'MakeOmegaOCP'.
+‘ocp’
+     (Omega compiled process files) ‘OCPINPUTS’;
+     suffix ‘.ocp’; dynamic creation program: ‘MakeOmegaOCP’.
 
-'ofm'
-     (Omega font metrics) 'OFMFONTS', 'TEXFONTS';
-     suffixes '.ofm', '.tfm'; dynamic creation program: 'MakeOmegaOFM'.
+‘ofm’
+     (Omega font metrics) ‘OFMFONTS’, ‘TEXFONTS’;
+     suffixes ‘.ofm’, ‘.tfm’; dynamic creation program: ‘MakeOmegaOFM’.
 
-'opentype fonts'
-     (OpenType fonts) 'OPENTYPEFONTS'.
+‘opentype fonts’
+     (OpenType fonts) ‘OPENTYPEFONTS’.
 
-'opl'
-     (Omega property lists) 'OPLFONTS', 'TEXFONTS'; suffix '.opl'.
+‘opl’
+     (Omega property lists) ‘OPLFONTS’, ‘TEXFONTS’; suffix ‘.opl’.
 
-'otp'
-     (Omega translation process files) 'OTPINPUTS'; suffix '.otp'.
+‘otp’
+     (Omega translation process files) ‘OTPINPUTS’; suffix ‘.otp’.
 
-'ovf'
-     (Omega virtual fonts) 'OVFFONTS', 'TEXFONTS'; suffix '.ovf'.
+‘ovf’
+     (Omega virtual fonts) ‘OVFFONTS’, ‘TEXFONTS’; suffix ‘.ovf’.
 
-'ovp'
-     (Omega virtual property lists) 'OVPFONTS', 'TEXFONTS'; suffix
-     '.ovp'.
+‘ovp’
+     (Omega virtual property lists) ‘OVPFONTS’, ‘TEXFONTS’; suffix
+     ‘.ovp’.
 
-'pdftex config'
-     (PDFTeX-specific configuration files) 'PDFTEXCONFIG'.
+‘pdftex config’
+     (PDFTeX-specific configuration files) ‘PDFTEXCONFIG’.
 
-'pk'
-     (packed bitmap fonts, *note (dvips)Glyph files::) 'PROGRAMFONTS'
-     (PROGRAM being 'XDVI', etc.), 'PKFONTS', 'TEXPKS', 'GLYPHFONTS',
-     'TEXFONTS'; suffix 'pk'; dynamic creation program: 'mktexpk'.
+‘pk’
+     (packed bitmap fonts, *note (dvips)Glyph files::) ‘PROGRAMFONTS’
+     (PROGRAM being ‘XDVI’, etc.), ‘PKFONTS’, ‘TEXPKS’, ‘GLYPHFONTS’,
+     ‘TEXFONTS’; suffix ‘pk’; dynamic creation program: ‘mktexpk’.
 
-'PostScript header'
+‘PostScript header’
      (downloadable PostScript, *note (dvips)Header files::)
-     'TEXPSHEADERS', 'PSHEADERS'; additional suffix '.pro'.
+     ‘TEXPSHEADERS’, ‘PSHEADERS’; additional suffix ‘.pro’.
 
-'ris'
+‘ris’
      (RIS bibliography files, primarily for Biber,
-     <https://ctan.org/pkg/biber>) 'RISINPUTS' suffix '.ris'.
+     <https://ctan.org/pkg/biber>) ‘RISINPUTS’ suffix ‘.ris’.
 
-'subfont definition files'
-     (subfont definition files) 'SFDFONTS' suffix '.sfd'.
+‘subfont definition files’
+     (subfont definition files) ‘SFDFONTS’ suffix ‘.sfd’.
 
-'tex'
-     (TeX source, *note (web2c)tex invocation::) 'TEXINPUTS'; suffix
-     '.tex'; additional suffixes: none, because such a list cannot be
-     complete; dynamic creation program: 'mktextex'.
+‘tex’
+     (TeX source, *note (web2c)tex invocation::) ‘TEXINPUTS’; suffix
+     ‘.tex’; additional suffixes: none, because such a list cannot be
+     complete; dynamic creation program: ‘mktextex’.
 
-'TeX system documentation'
-     (Documentation files for the TeX system) 'TEXDOCS'.
+‘TeX system documentation’
+     (Documentation files for the TeX system) ‘TEXDOCS’.
 
-'TeX system sources'
-     (Source files for the TeX system) 'TEXSOURCES'.
+‘TeX system sources’
+     (Source files for the TeX system) ‘TEXSOURCES’.
 
-'texmfscripts'
+‘texmfscripts’
      (Architecture-independent executables distributed in the texmf
-     trees) 'TEXMFSCRIPTS'.
+     trees) ‘TEXMFSCRIPTS’.
 
-'texpool'
+‘texpool’
      (TeX program strings, *note (web2c)pooltype invocation::)
-     'TEXPOOL', 'TEXMFINI'; suffix '.pool'.
+     ‘TEXPOOL’, ‘TEXMFINI’; suffix ‘.pool’.
 
-'tfm'
-     (TeX font metrics, *note (dvips)Metric files::) 'TFMFONTS',
-     'TEXFONTS'; suffix '.tfm'; dynamic creation program: 'mktextfm'.
+‘tfm’
+     (TeX font metrics, *note (dvips)Metric files::) ‘TFMFONTS’,
+     ‘TEXFONTS’; suffix ‘.tfm’; dynamic creation program: ‘mktextfm’.
 
-'Troff fonts'
+‘Troff fonts’
      (Troff fonts, used by DMP; *note (web2c)DMP invocation::)
-     'TRFONTS'.
+     ‘TRFONTS’.
 
-'truetype fonts'
-     (TrueType outline fonts) 'TTFONTS'; suffixes '.ttf' and '.TTF',
-     '.ttc' and '.TTC', '.dfont'.
+‘truetype fonts’
+     (TrueType outline fonts) ‘TTFONTS’; suffixes ‘.ttf’ and ‘.TTF’,
+     ‘.ttc’ and ‘.TTC’, ‘.dfont’.
 
-'type1 fonts'
+‘type1 fonts’
      (Type 1 PostScript outline fonts, *note (dvips)Glyph files::)
-     'T1FONTS', 'T1INPUTS', 'TEXPSHEADERS', 'DVIPSHEADERS'; suffixes
-     '.pfa', '.pfb'.
+     ‘T1FONTS’, ‘T1INPUTS’, ‘TEXPSHEADERS’, ‘DVIPSHEADERS’; suffixes
+     ‘.pfa’, ‘.pfb’.
 
-'type42 fonts'
-     (Type 42 PostScript outline fonts) 'T42FONTS'.
+‘type42 fonts’
+     (Type 42 PostScript outline fonts) ‘T42FONTS’.
 
-'vf'
-     (virtual fonts, *note (dvips)Virtual fonts::) 'VFFONTS',
-     'TEXFONTS'; suffix '.vf'.
+‘vf’
+     (virtual fonts, *note (dvips)Virtual fonts::) ‘VFFONTS’,
+     ‘TEXFONTS’; suffix ‘.vf’.
 
-'web'
-     (WEB input files) 'WEBINPUTS'; suffix '.web'; additional suffix
-     '.ch'.
+‘web’
+     (WEB input files) ‘WEBINPUTS’; suffix ‘.web’; additional suffix
+     ‘.ch’.
 
-'web2c files'
-     (files specific to the web2c implementation) 'WEB2C'.
+‘web2c files’
+     (files specific to the web2c implementation) ‘WEB2C’.
 
    There are two special cases, because the paths and environment
 variables always depend on the name of the program: the variable name is
 constructed by converting the program name to upper case, and then
-appending 'INPUTS'.  Assuming the program is called 'foo', this gives us
+appending ‘INPUTS’.  Assuming the program is called ‘foo’, this gives us
 the following table.
 
-'other text files'
-     (text files used by 'foo') 'FOOINPUTS'.
+‘other text files’
+     (text files used by ‘foo’) ‘FOOINPUTS’.
 
-'other binary files'
-     (binary files used by 'foo') 'FOOINPUTS'.
+‘other binary files’
+     (binary files used by ‘foo’) ‘FOOINPUTS’.
 
    If an environment variable by these names are set, the corresponding
-'texmf.cnf' definition won't be looked at (unless, as usual, the
-environment variable value has an extra ':').  *Note Default
+‘texmf.cnf’ definition won't be looked at (unless, as usual, the
+environment variable value has an extra ‘:’).  *Note Default
 expansion::.
 
    For the font variables, the intent is that:
-   * 'TEXFONTS' is the default for everything.
+   • ‘TEXFONTS’ is the default for everything.
 
-   * 'GLYPHFONTS' is the default for bitmap (or, more precisely,
+   • ‘GLYPHFONTS’ is the default for bitmap (or, more precisely,
      non-metric) files.
 
-   * Each font format has a variable of its own.
+   • Each font format has a variable of its own.
 
-   * Each program has its own font override path as well; e.g.,
-     'DVIPSFONTS' for Dvipsk.  Again, this is for bitmaps, not metrics.
+   • Each program has its own font override path as well; e.g.,
+     ‘DVIPSFONTS’ for Dvipsk.  Again, this is for bitmaps, not metrics.
 
 
 File: kpathsea.info,  Node: File lookup,  Next: Glyph lookup,  Prev: Supported file formats,  Up: TeX support
@@ -1886,31 +1936,31 @@
   1. If the file format defines default suffixes, and the suffix of NAME
      name is not already a known suffix for that format, try the name
      with each default appended, and use alternative names found in the
-     fontmaps if necessary.  Example: given 'foo.bar', look for
-     'foo.bar.tex'.
+     fontmaps if necessary.  Example: given ‘foo.bar’, look for
+     ‘foo.bar.tex’.
 
   2. Search for NAME, and if necessary for alternative names found in
-     the fontmaps.  Example: given 'foo.bar', we also look for
-     'foo.bar'.
+     the fontmaps.  Example: given ‘foo.bar’, we also look for
+     ‘foo.bar’.
 
   3. If the file format defines a program to invoke to create missing
      files, run it (*note mktex scripts::).
 
    The order in which we search for "suffixed" name (item 1) or the
-"as-is" name (item 2) is controlled by the 'try_std_extension_first'
-configuration value.  The default set in 'texmf.cnf' is true, since
-common suffixes are already recognized: 'babel.sty' will only look for
-'babel.sty', not 'babel.sty.tex', regardless of this setting.
+"as-is" name (item 2) is controlled by the ‘try_std_extension_first’
+configuration value.  The default set in ‘texmf.cnf’ is true, since
+common suffixes are already recognized: ‘babel.sty’ will only look for
+‘babel.sty’, not ‘babel.sty.tex’, regardless of this setting.
 
-   When the suffix is unknown (e.g., 'foo.bar'), both names are always
+   When the suffix is unknown (e.g., ‘foo.bar’), both names are always
 tried; the difference is the order in which they are tried.
 
-   'try_std_extension_first' only affects names being looked up which
-*already* have an extension.  A name without an extension (e.g., 'tex
-story') will always have an extension added first.
+   ‘try_std_extension_first’ only affects names being looked up which
+*already* have an extension.  A name without an extension (e.g., ‘tex
+story’) will always have an extension added first.
 
-   This algorithm is implemented in the function 'kpathsea_find_file' in
-the source file 'kpathsea/tex-file.c'.  You can watch it in action with
+   This algorithm is implemented in the function ‘kpathsea_find_file’ in
+the source file ‘kpathsea/tex-file.c’.  You can watch it in action with
 the debugging options (*note Debugging::).
 
 
@@ -1920,7 +1970,7 @@
 ================
 
 This section describes how Kpathsea searches for a bitmap font in GF or
-PK format (or either) given a font name (e.g., 'cmr10') and a resolution
+PK format (or either) given a font name (e.g., ‘cmr10’) and a resolution
 (e.g., 600).
 
    Here is an outline of the search strategy (details in the sections
@@ -1931,16 +1981,16 @@
      format(s).
 
   2. If NAME is an alias for a file F in the fontmap file
-     'texfonts.map', look for F.DPI.
+     ‘texfonts.map’, look for F.DPI.
 
-  3. Run an external program (typically named 'mktexpk') to generate the
+  3. Run an external program (typically named ‘mktexpk’) to generate the
      font (*note mktex scripts::)
 
   4. Look for FALLBACK.DPI, where FALLBACK is some last-resort font
-     (typically 'cmr10').
+     (typically ‘cmr10’).
 
-   This is implemented in 'kpathsea_find_glyph' in
-'kpathsea/tex-glyph.c'.
+   This is implemented in ‘kpathsea_find_glyph’ in
+‘kpathsea/tex-glyph.c’.
 
 * Menu:
 
@@ -1956,16 +2006,16 @@
 
 When Kpathsea looks for a bitmap font NAME at resolution DPI in a format
 FORMAT, it first checks each directory in the search path for a file
-'NAME.DPIFORMAT'; for example, 'cmr10.600pk'.  Kpathsea looks for a PK
+‘NAME.DPIFORMAT’; for example, ‘cmr10.600pk’.  Kpathsea looks for a PK
 file first, then a GF file.
 
-   If that fails, Kpathsea looks for 'dpiDPI/NAME.FORMAT'; for example,
-'dpi600/cmr10.pk'.  This is how fonts are typically stored on
+   If that fails, Kpathsea looks for ‘dpiDPI/NAME.FORMAT’; for example,
+‘dpi600/cmr10.pk’.  This is how fonts are typically stored on
 filesystems (such as DOS) that permit only three-character extensions.
 
    If that fails, Kpathsea looks for a font with a close-enough DPI.
-"Close enough" is defined by the macro 'KPSE_BITMAP_TOLERANCE' in
-'kpathsea/tex-glyph.h' to be 'DPI / 500 + 1'.  This is slightly more
+"Close enough" is defined by the macro ‘KPSE_BITMAP_TOLERANCE’ in
+‘kpathsea/tex-glyph.h’ to be ‘DPI / 500 + 1’.  This is slightly more
 than the 0.2% minimum allowed by the DVI standard
 (<CTAN:/dviware/driv-standard/level-0>).
 
@@ -1976,51 +2026,51 @@
 -------------
 
 If a bitmap font or metric file is not found with the original name (see
-the previous section), Kpathsea looks through any "fontmap" files for an
-"alias" for the original font name.  These files are named
-'texfonts.map' and searched for along the 'TEXFONTMAPS'
-environment/config file variable.  All 'texfonts.map' files that are
+the previous section), Kpathsea looks through any “fontmap” files for an
+“alias” for the original font name.  These files are named
+‘texfonts.map’ and searched for along the ‘TEXFONTMAPS’
+environment/config file variable.  All ‘texfonts.map’ files that are
 found are read; earlier definitions override later ones.
 
    This feature is intended to help in two respects:
 
   1. An alias name is limited in length only by available memory, not by
-     your filesystem.  Therefore, if you want to ask for 'Times-Roman'
-     instead of 'ptmr', you can (you get 'ptmr8r').
+     your filesystem.  Therefore, if you want to ask for ‘Times-Roman’
+     instead of ‘ptmr’, you can (you get ‘ptmr8r’).
 
   2. A few fonts have historically had multiple names: specifically,
-     LaTeX's "circle font" has variously been known as 'circle10',
-     'lcircle10', and 'lcirc10'.  Aliases can make all the names
+     LaTeX's "circle font" has variously been known as ‘circle10’,
+     ‘lcircle10’, and ‘lcirc10’.  Aliases can make all the names
      equivalent, so that it no longer matters what the name of the
      installed file is; TeX documents will find their favorite name.
 
    The format of fontmap files:
 
-   * Comments start with the last '%' on a line and continue to the end
+   • Comments start with the last ‘%’ on a line and continue to the end
      of the line.  (This provides for names that include a %,
      ill-advised as that may be.)
 
-   * Blank lines are ignored.
+   • Blank lines are ignored.
 
-   * Each nonblank line is broken up into a series of "words": a
+   • Each nonblank line is broken up into a series of “words”: a
      sequence of non-whitespace characters.
 
-   * If the first word is 'include', the second word is used as a
+   • If the first word is ‘include’, the second word is used as a
      filename, and it is searched for and read.
 
-   * Otherwise, the first word on each line is the true filename;
+   • Otherwise, the first word on each line is the true filename;
 
-   * the second word is the alias;
+   • the second word is the alias;
 
-   * subsequent words are ignored.
+   • subsequent words are ignored.
 
    If an alias has an extension, it matches only those files with that
 extension; otherwise, it matches anything with the same root, regardless
-of extension.  For example, an alias 'foo.tfm' matches only when
-'foo.tfm' is being searched for; but an alias 'foo' matches 'foo.vf',
-'foo.600pk', etc.
+of extension.  For example, an alias ‘foo.tfm’ matches only when
+‘foo.tfm’ is being searched for; but an alias ‘foo’ matches ‘foo.vf’,
+‘foo.600pk’, etc.
 
-   As an example, here is an excerpt from the 'texfonts.map' in the
+   As an example, here is an excerpt from the ‘texfonts.map’ in the
 Web2c distribution.  It makes the old and new names of the LaTeX circle
 fonts equivalent.
 
@@ -2032,7 +2082,7 @@
      lcirc10         lcircle10
      ...
 
-   Fontmaps are implemented in the file 'kpathsea/fontmap.c'.  The
+   Fontmaps are implemented in the file ‘kpathsea/fontmap.c’.  The
 Fontname distribution has much more information on font naming (*note
 (fontname)::).
 
@@ -2043,17 +2093,17 @@
 -------------------
 
 If a bitmap font cannot be found or created at the requested size,
-Kpathsea looks for the font at a set of "fallback resolutions".  You
+Kpathsea looks for the font at a set of “fallback resolutions”.  You
 specify these resolutions as a colon-separated list (like search paths).
 Kpathsea looks first for a program-specific environment variable (e.g.,
-'DVIPSSIZES' for Dvipsk), then the environment variable 'TEXSIZES', then
+‘DVIPSSIZES’ for Dvipsk), then the environment variable ‘TEXSIZES’, then
 a default specified at compilation time (the Make variable
-'default_texsizes').  You can set this list to be empty if you prefer to
+‘default_texsizes’).  You can set this list to be empty if you prefer to
 find fonts at their stated size or not at all.
 
    Finally, if the font cannot be found even at the fallback
-resolutions, Kpathsea looks for a fallback font, typically 'cmr10'.
-Programs must enable this feature by calling 'kpathsea_init_prog' (*note
+resolutions, Kpathsea looks for a fallback font, typically ‘cmr10’.
+Programs must enable this feature by calling ‘kpathsea_init_prog’ (*note
 Calling sequence::); the default is no fallback font.
 
 
@@ -2066,43 +2116,43 @@
 this is useful at large sites where most users are not administrators,
 and thus the warnings are merely a source of confusion, not a help.  To
 do this, you set the environment variable or configuration file value
-'TEX_HUSH' to a colon-separated list of values.  Here are the
+‘TEX_HUSH’ to a colon-separated list of values.  Here are the
 possibilities:
 
-'all'
+‘all’
      Suppress everything possible.
 
-'checksum'
+‘checksum’
      Suppress mismatched font checksum warnings.
 
-'lostchar'
+‘lostchar’
      Suppress warnings when a character is missing from a font that a
      DVI or VF file tries to typeset.
 
-'none'
+‘none’
      Don't suppress any warnings.
 
-'readable'
+‘readable’
      Suppress warnings about attempts to access a file whose permissions
      render it unreadable.
 
-'special'
-     Suppresses warnings about an unimplemented or unparsable '\special'
+‘special’
+     Suppresses warnings about an unimplemented or unparsable ‘\special’
      command.
 
-'tex-hush.c' defines the function that checks the variable value.  Each
+‘tex-hush.c’ defines the function that checks the variable value.  Each
 driver implements its own checks where appropriate.
 
 
 File: kpathsea.info,  Node: mktex scripts,  Prev: Suppressing warnings,  Up: TeX support
 
-6.5 'mktex' scripts
+6.5 ‘mktex’ scripts
 ===================
 
 If Kpathsea cannot otherwise find a file, for some file types it is
 configured by default to invoke an external program to create it
 dynamically (*note mktex configuration::).  These are collectively known
-as "'mktex' scripts", since most of them are named 'mktex...'.
+as “‘mktex’ scripts”, since most of them are named ‘mktex...’.
 
    For example, this is useful for fonts (bitmaps, TFM's, and
 arbitrarily-sizable Metafont sources such as the Sauter and EC fonts),
@@ -2110,8 +2160,8 @@
 Building all fonts in advance is therefore impractical, if not
 impossible.
 
-   It is also useful for the TeX '.fmt' (and Metafont '.base' and
-Metapost '.mem' files, *note (Web2c)Memory dumps::), where
+   It is also useful for the TeX ‘.fmt’ (and Metafont ‘.base’ and
+Metapost ‘.mem’ files, *note (Web2c)Memory dumps::), where
 pre-generating every format consumes a lot of both time and space.
 
    The script is passed the name of the file to create and possibly
@@ -2128,13 +2178,13 @@
 
 File: kpathsea.info,  Node: mktex configuration,  Next: mktex script names,  Up: mktex scripts
 
-6.5.1 'mktex' configuration
+6.5.1 ‘mktex’ configuration
 ---------------------------
 
 The list of file types and program names that can run an external
 program to create missing files is listed in the next section.  In the
-absence of 'configure' options specifying otherwise, everything but
-'mktextex' will be enabled by default.  The 'configure' options to
+absence of ‘configure’ options specifying otherwise, everything but
+‘mktextex’ will be enabled by default.  The ‘configure’ options to
 change the defaults are:
 
      --without-mktexfmt-default
@@ -2145,189 +2195,189 @@
      --without-mktextfm-default
      --with-mktextex-default
 
-   The 'configure' setting is overridden if the environment variable or
-configuration file value named for the script is set; e.g., 'MKTEXPK'
+   The ‘configure’ setting is overridden if the environment variable or
+configuration file value named for the script is set; e.g., ‘MKTEXPK’
 (*note mktex script arguments::).
 
-   'mktexfmt' reads a file 'fmtutil.cnf', typically located in
-'texmf/web2c/' to glean its configuration information.  The rest of the
+   ‘mktexfmt’ reads a file ‘fmtutil.cnf’, typically located in
+‘texmf/web2c/’ to glean its configuration information.  The rest of the
 files and features in this section are primarily intended for the font
 generation scripts.
 
-   As distributed, all the scripts source a file 'texmf/web2c/mktex.cnf'
-if it exists, so you can override various defaults.  See 'mktex.opt',
+   As distributed, all the scripts source a file ‘texmf/web2c/mktex.cnf’
+if it exists, so you can override various defaults.  See ‘mktex.opt’,
 for instance, which defines the default mode, resolution, some special
 directory names, etc.  If you prefer not to change the distributed
-scripts, you can simply create 'mktex.cnf' with the appropriate
+scripts, you can simply create ‘mktex.cnf’ with the appropriate
 definitions (you do not need to create it if you have nothing to put in
-it).  'mktex.cnf' has no special syntax; it's an arbitrary Bourne shell
-script.  The distribution contains a sample 'mktex.cnf' for you to copy
+it).  ‘mktex.cnf’ has no special syntax; it's an arbitrary Bourne shell
+script.  The distribution contains a sample ‘mktex.cnf’ for you to copy
 and modify as you please (it is not installed anywhere).
 
    In addition, you can configure a number of features with the
-'MT_FEATURES' variable, which you can define:
+‘MT_FEATURES’ variable, which you can define:
 
-   * in 'mktex.opt', as just mentioned;
+   • in ‘mktex.opt’, as just mentioned;
 
-   * by editing the file 'mktex.opt', either before 'make install' (in
+   • by editing the file ‘mktex.opt’, either before ‘make install’ (in
      the source hierarchy) or after (in the installed hierarchy);
 
-   * or in the environment.
+   • or in the environment.
 
-   If none of the options below are enabled, 'mktexpk', 'mktextfm', and
-'mktexmf' follow the following procedure to decide where fonts should be
+   If none of the options below are enabled, ‘mktexpk’, ‘mktextfm’, and
+‘mktexmf’ follow the following procedure to decide where fonts should be
 installed.  Find the tree where the font's sources are, and test the
-permissions of the 'fonts' directory of that tree to determine whether
+permissions of the ‘fonts’ directory of that tree to determine whether
 it is writable.  If it is, put the files in the tree in appropriate
 locations.  If it isn't writable, see whether the tree is a system tree
-(named in 'SYSTEXMF').  If so, the 'VARTEXFONTS' tree is used.  In all
+(named in ‘SYSTEXMF’).  If so, the ‘VARTEXFONTS’ tree is used.  In all
 other cases the working directory is used.
 
-   The 'appendonlydir' option is enabled by default.
+   The ‘appendonlydir’ option is enabled by default.
 
-'appendonlydir'
-     Tell 'mktexdir' to create directories append-only, i.e., set their
+‘appendonlydir’
+     Tell ‘mktexdir’ to create directories append-only, i.e., set their
      sticky bit (*note (coreutils)Mode Structure::).  This feature is
      silently ignored on non-Unix platforms (e.g.  Windows/NT and
      MS-DOS) which don't support similar functionality.  This feature is
      enabled by default.
 
-'dosnames'
-     Use 8.3 names; e.g., 'dpi600/cmr10.pk' instead of 'cmr10.600pk'.
+‘dosnames’
+     Use 8.3 names; e.g., ‘dpi600/cmr10.pk’ instead of ‘cmr10.600pk’.
      Note that this feature only affects filenames that would otherwise
-     clash with other TeX-related filenames; 'mktex' scripts do nothing
+     clash with other TeX-related filenames; ‘mktex’ scripts do nothing
      about filenames which exceed the 8+3 MS-DOS limits but remain
      unique when truncated (by the OS) to these limits, and nether do
      the scripts care about possible clashes with files which aren't
-     related with TeX. For example, 'cmr10.600pk' would clash with
-     'cmr10.600gf' and is therefore changed when 'dosnames' is in
-     effect, but 'mf.pool' and 'mp.base' don't clash with any
+     related with TeX. For example, ‘cmr10.600pk’ would clash with
+     ‘cmr10.600gf’ and is therefore changed when ‘dosnames’ is in
+     effect, but ‘mf.pool’ and ‘mp.base’ don't clash with any
      TeX-related files and are therefore unchanged.
 
      This feature is turned on by default on MS-DOS. If you do not wish
-     'dosnames' to be set on an MS-DOS platform, you need to set the
-     'MT_FEATURES' environment variable to a value that doesn't include
-     'dosnames'.  You can also change the default setting by editing
-     'mktex.opt', but only if you use the 'mktex' shell scripts; the
-     emulation programs don't consult 'mktex.opt'.
+     ‘dosnames’ to be set on an MS-DOS platform, you need to set the
+     ‘MT_FEATURES’ environment variable to a value that doesn't include
+     ‘dosnames’.  You can also change the default setting by editing
+     ‘mktex.opt’, but only if you use the ‘mktex’ shell scripts; the
+     emulation programs don't consult ‘mktex.opt’.
 
-'fontmaps'
+‘fontmaps’
      Instead of deriving the location of a font in the destination tree
      from the location of the sources, the aliases and directory names
      from the Fontname distribution are used.  (*note Introduction:
      (fontname)Top.).
 
-'nomfdrivers'
+‘nomfdrivers’
      Let mktexpk and mktextfm create metafont driver files in a
      temporary directory.  These will be used for just one metafont run
      and not installed permanently.
 
-'nomode'
+‘nomode’
      Omit the directory level for the mode name; this is fine as long as
      you generate fonts for only one mode.
 
-'stripsupplier'
+‘stripsupplier’
      Omit the font supplier name directory level.
 
-'striptypeface'
+‘striptypeface’
      Omit the font typeface name directory level.
 
-'strip'
+‘strip’
      Omit the font supplier and typeface name directory levels.  This
-     feature is deprecated in favour of 'stripsupplier' and
-     'striptypeface'.
+     feature is deprecated in favour of ‘stripsupplier’ and
+     ‘striptypeface’.
 
-'varfonts'
+‘varfonts’
      When this option is enabled, fonts that would otherwise be written
-     in system texmf tree go to the 'VARTEXFONTS' tree instead.  The
-     default value in 'kpathsea/Makefile.in' is '/var/tmp/texfonts'.
-     The 'Linux File System Standard' recommends '/var/tex/fonts'.
+     in system texmf tree go to the ‘VARTEXFONTS’ tree instead.  The
+     default value in ‘kpathsea/Makefile.in’ is ‘/var/tmp/texfonts’.
+     The ‘Linux File System Standard’ recommends ‘/var/tex/fonts’.
 
-     The 'varfonts' setting in 'MT_FEATURES' is overridden by the
-     'USE_VARTEXFONTS' environment variable: if set to '1', the feature
-     is enabled, and if set to '0', the feature is disabled.
+     The ‘varfonts’ setting in ‘MT_FEATURES’ is overridden by the
+     ‘USE_VARTEXFONTS’ environment variable: if set to ‘1’, the feature
+     is enabled, and if set to ‘0’, the feature is disabled.
 
-'texmfvar'
+‘texmfvar’
      Force generated files that would go into a system tree (as defined
-     by 'SYSTEXMF') into 'TEXMFVAR'.  Starting with teTeX-3.0, the
-     variable 'TEXMFVAR' is always set.  The 'varfonts' feature takes
+     by ‘SYSTEXMF’) into ‘TEXMFVAR’.  Starting with teTeX-3.0, the
+     variable ‘TEXMFVAR’ is always set.  The ‘varfonts’ feature takes
      precedence if also set.
 
-     The 'texmfvar' setting in 'MT_FEATURES' is overridden by the
-     'USE_TEXMFVAR' environment variable: if set to '1', the feature is
-     enabled, and if set to '0', the feature is disabled.
+     The ‘texmfvar’ setting in ‘MT_FEATURES’ is overridden by the
+     ‘USE_TEXMFVAR’ environment variable: if set to ‘1’, the feature is
+     enabled, and if set to ‘0’, the feature is disabled.
 
 
 File: kpathsea.info,  Node: mktex script names,  Next: mktex script arguments,  Prev: mktex configuration,  Up: mktex scripts
 
-6.5.2 'mktex' script names
+6.5.2 ‘mktex’ script names
 --------------------------
 
 The following table shows the default name of the script for each of the
 file types which support runtime generation.
 
-'mktexfmt'
-     ('.fmt', '.base', '.mem') TeX/Metafont/MetaPost formats.  This
-     script is also named 'fmtutil', and reads 'fmtutil.cnf' for
+‘mktexfmt’
+     (‘.fmt’, ‘.base’, ‘.mem’) TeX/Metafont/MetaPost formats.  This
+     script is also named ‘fmtutil’, and reads ‘fmtutil.cnf’ for
      configuration information.
 
-'mktexmf'
-     ('.mf') Metafont input files.
+‘mktexmf’
+     (‘.mf’) Metafont input files.
 
-'mkocp'
-     ('.ocp') Omega compiled process files.
+‘mkocp’
+     (‘.ocp’) Omega compiled process files.
 
-'mkofm'
-     ('.ofm') Omega font metric files.
+‘mkofm’
+     (‘.ofm’) Omega font metric files.
 
-'mktexpk'
-     ('pk') Glyph fonts.
+‘mktexpk’
+     (‘pk’) Glyph fonts.
 
-'mktextex'
-     ('.tex') TeX input files (disabled by default).
+‘mktextex’
+     (‘.tex’) TeX input files (disabled by default).
 
-'mktextfm'
-     ('.tfm') TFM files.
+‘mktextfm’
+     (‘.tfm’) TFM files.
 
 These names can be overridden by an environment variable specific to the
-program; for example, 'DVIPSMAKEPK' for Dvipsk.
+program; for example, ‘DVIPSMAKEPK’ for Dvipsk.
 
-   If a 'mktex...' script fails, the invocation is appended to a file
-'missfont.log' (by default) in the current directory.  After fixing the
+   If a ‘mktex...’ script fails, the invocation is appended to a file
+‘missfont.log’ (by default) in the current directory.  After fixing the
 problem, you can then execute the log file to create the missing files.
 
-   If the environment variable 'TEXMF_OUTPUT_DIRECTORY' is set,
-'missfont.log' is first tried to be written there; if it's not set, the
+   If the environment variable ‘TEXMF_OUTPUT_DIRECTORY’ is set,
+‘missfont.log’ is first tried to be written there; if it's not set, the
 current directory is tried first.  If that first write fails and the
-environment variable or configuration file value 'TEXMFOUTPUT' is set,
-we try to write 'missfont.log' there.  Otherwise nothing is written.
+environment variable or configuration file value ‘TEXMFOUTPUT’ is set,
+we try to write ‘missfont.log’ there.  Otherwise nothing is written.
 
-   The base filename 'missfont.log' is overridden by the 'MISSFONT_LOG'
+   The base filename ‘missfont.log’ is overridden by the ‘MISSFONT_LOG’
 environment variable or configuration file value.
 
 
 File: kpathsea.info,  Node: mktex script arguments,  Prev: mktex script names,  Up: mktex scripts
 
-6.5.3 'mktex' script arguments
+6.5.3 ‘mktex’ script arguments
 ------------------------------
 
-The first argument to a 'mktex' script is always the name of the file to
+The first argument to a ‘mktex’ script is always the name of the file to
 be created.
 
-   In the default 'mktexpk' implementation, additional arguments may
+   In the default ‘mktexpk’ implementation, additional arguments may
 also be passed:
 
-'--dpi NUM'
+‘--dpi NUM’
      Sets the resolution of the generated font to NUM.
-'--mfmode NAME'
+‘--mfmode NAME’
      Sets the Metafont mode to NAME.
-'--bdpi NUM'
+‘--bdpi NUM’
      Sets the "base dpi" for the font.  This must match the mode being
      used.
-'--mag STRING'
-     A "magstep" string suitable for the Metafont 'mag' variable.  This
+‘--mag STRING’
+     A "magstep" string suitable for the Metafont ‘mag’ variable.  This
      must match the combination of BDPI and DPI being used.
-'--destdir STRING'
+‘--destdir STRING’
      A directory name.  If the directory is absolute, it is used as-is.
      Otherwise, it is appended to the root destination directory set in
      the script.
@@ -2346,6 +2396,7 @@
 
 * Overview: Programming overview.         Introduction.
 * Calling sequence::                      Specifics of what to call.
+* Safe filenames::                        Only opening allowed files.
 * Program-specific files::                How to handle these.
 * Config: Programming with config files.  Getting info from texmf.cnf.
 
@@ -2368,7 +2419,7 @@
    When looking at these program sources, you should know that previous
 versions of the library had a different programming interface; the
 current interface supports re-entrancy.  Historically, the library
-function names were prefixed with 'kpse_' instead of 'kpathsea_', and
+function names were prefixed with ‘kpse_’ instead of ‘kpathsea_’, and
 they did not need an instance variable as first argument.  This change
 was made in 2009.  The old functions will never disappear, and can
 reliably continue to be used when they suffice, as they do for the
@@ -2375,37 +2426,37 @@
 programs above.  The main application using the re-entrant API is the
 MetaPost library used by MetaPost and LuaTeX.
 
-   Beyond these examples, the '.h' files in the Kpathsea source describe
-the interfaces and functionality (and of course the '.c' files define
+   Beyond these examples, the ‘.h’ files in the Kpathsea source describe
+the interfaces and functionality (and of course the ‘.c’ files define
 the actual routines, which are the ultimate documentation).
-'pathsearch.h' declares the basic searching routine.  'tex-file.h' and
-'tex-glyph.h' define the interfaces for looking up particular kinds of
+‘pathsearch.h’ declares the basic searching routine.  ‘tex-file.h’ and
+‘tex-glyph.h’ define the interfaces for looking up particular kinds of
 files.  In view of the way the headers depend on each other, it is
-recommended to use '#include <kpathsea/kpathsea.h>', which includes
+recommended to use ‘#include <kpathsea/kpathsea.h>’, which includes
 every Kpathsea header.
 
    If you want to include only specific headers, you should still
-consider including 'kpathsea/config.h' before including any other
-Kpathsea header, as it provides symbols used in the other headers.  Note
-that 'kpathsea/config.h' includes 'kpathsea/c-auto.h', which is
-generated by Autoconf.
+consider including ‘kpathsea/config.h’ before including any other
+Kpathsea header, as it provides symbols used in the other headers;
+‘kpathsea/config.h’ includes ‘kpathsea/c-auto.h’, which is generated by
+Autoconf.
 
    The library provides no way for an external program to register new
-file types: 'tex-file.[ch]' must be modified to do this.  For example,
+file types: ‘tex-file.[ch]’ must be modified to do this.  For example,
 Kpathsea has support for looking up Dvips config files, even though no
-program other than Dvips will likely ever want to do so.  I felt this
+program other than Dvips is likely to ever want to do so.  I felt this
 was acceptable, since along with new file types should also come new
-defaults in 'texmf.cnf' (and its descendant 'paths.h'), since it's
+defaults in ‘texmf.cnf’ (and its descendant ‘paths.h’), since it's
 simplest for users if they can modify one configuration file for all
 kinds of paths.
 
    Kpathsea does not parse any formats itself; it barely opens any
 files.  Its primary purpose is to return filenames.  The GNU font
-utilities does contain libraries to read TFM, GF, and PK files, as do
-the programs above, of course.
+utilities package contains libraries to read TFM, GF, and PK files, as
+do the programs above, of course.
 
 
-File: kpathsea.info,  Node: Calling sequence,  Next: Program-specific files,  Prev: Programming overview,  Up: Programming
+File: kpathsea.info,  Node: Calling sequence,  Next: Safe filenames,  Prev: Programming overview,  Up: Programming
 
 7.2 Calling sequence
 ====================
@@ -2413,133 +2464,95 @@
 The typical way to use Kpathsea in your program goes something like
 this:
 
-  1. Call 'kpathsea_new' to create a new library instance.  This
+  1. Call ‘kpathsea_new’ to create a new library instance.  This
      variable must be passed as the first argument to all the following
-     library functions.  The rest of this manual will be using 'kpse' as
+     library functions.  The rest of this manual will be using ‘kpse’ as
      a placeholder for the name of this variable.
 
-  2. Call 'kpathsea_set_program_name' with 'argv[0]' as the second
-     argument; the third argument is a string or 'NULL'.  The third
-     argument is used by Kpathsea as the program name for the '.PROGRAM'
+  2. Call ‘kpathsea_set_program_name’ with ‘argv[0]’ as the second
+     argument; the third argument is a string or ‘NULL’.  The third
+     argument is used by Kpathsea as the program name for the ‘.PROGRAM’
      feature of config files (*note Config files::).  If the third
-     argument is 'NULL', the value of the second argument is used.  This
+     argument is ‘NULL’, the value of the second argument is used.  This
      function must be called before any other use of the Kpathsea
      library.
 
-     'kpathsea_set_program_name' always sets the variables
-     'kpse->invocation_name' and 'kpse->invocation_short_name'.  These
+     ‘kpathsea_set_program_name’ always sets the variables
+     ‘kpse->invocation_name’ and ‘kpse->invocation_short_name’.  These
      variables are used in the error message macros defined in
-     'kpathsea/lib.h'.  It sets the variable 'kpse->program_name' to the
+     ‘kpathsea/lib.h’.  It sets the variable ‘kpse->program_name’ to the
      program name it uses.
 
      It also initializes debugging options based on the environment
-     variable 'KPATHSEA_DEBUG' (if that is set).
+     variable ‘KPATHSEA_DEBUG’ (if that is set).
 
-     Finally, it sets the environment variables 'SELFAUTOLOC',
-     'SELFAUTODIR' and 'SELFAUTOPARENT' to the location, parent and
-     grandparent directory of the executable, removing '.' and '..' path
+     Finally, it sets the environment variables ‘SELFAUTOLOC’,
+     ‘SELFAUTODIR’ and ‘SELFAUTOPARENT’ to the location, parent and
+     grandparent directory of the executable, removing ‘.’ and ‘..’ path
      elements and resolving symbolic links.  These are used in the
      default configuration file to allow people to invoke TeX from
-     anywhere.  You can use 'kpsewhich --expand-var=\$SELFAUTOLOC',
+     anywhere.  You can use ‘kpsewhich --expand-var=\$SELFAUTOLOC’,
      etc., to see the values.
 
   3. Set debugging options.  *Note Debugging::.  If your program doesn't
      have a debugging option already, you can define one and set
-     'kpse->debug' to the number that the user supplies (as in Dviljk
-     and Web2c), or you can just omit this altogether (people can always
-     set 'KPATHSEA_DEBUG').  If you do have runtime debugging already,
-     you need to merge Kpathsea's options with yours (as in Dvipsk and
-     Xdvik).
+     ‘kpse->debug’ to the number that the user supplies (as in Dviljk
+     and Web2c), or you can just omit this altogether (users can always
+     set the ‘KPATHSEA_DEBUG’ environment variable).  If you do have
+     runtime debugging already, you need to merge Kpathsea's options
+     with yours (as in Dvipsk and Xdvik).
 
   4. If your program has its own configuration files that can define
-     search paths, you should assign those paths to the 'client_path'
-     member in the appropriate element of the 'kpse->format_info' array.
-     (This array is indexed by file type; see 'tex-file.h'.)  See
-     'resident.c' in Dvipsk for an example.
+     search paths, you should assign those paths to the ‘client_path’
+     member in the appropriate element of the ‘kpse->format_info’ array.
+     (This array is indexed by file type; see ‘tex-file.h’.)  See
+     ‘resident.c’ in Dvipsk for an example.
 
-  5. Call 'kpathsea_init_prog' (see 'proginit.c').  It's useful for the
+  5. Call ‘kpathsea_init_prog’ (see ‘proginit.c’).  It's useful for the
      DVI drivers, at least, but for other programs it may be simpler to
      extract the parts of it that actually apply.  This does not
      initialize any paths, it just looks for (and sets) certain
-     environment variables and other random information.  (A search path
-     is always initialized at the first call to find a file of that
-     type; this eliminates much useless work, e.g., initializing the
-     BibTeX search paths in a DVI driver.)
+     environment variables and other random information.  Search paths
+     are always initialized at the first call to find a file of a given
+     type, not requiring an explicit initialization call; this
+     eliminates much useless work, e.g., initializing the BibTeX search
+     paths in a DVI driver.
 
   6. The routine to actually find a file of type FORMAT is
-     'kpathsea_find_file'.  You can call 'kpathsea_find_file' after
+     ‘kpathsea_find_file’.  You can call ‘kpathsea_find_file’ after
      doing only the first and second of the initialization steps
-     above--Kpathsea automatically reads the 'texmf.cnf' generic config
+     above--Kpathsea automatically reads the ‘texmf.cnf’ generic config
      files, looks for environment variables, and does expansions at the
      first lookup.
 
   7. To find PK and/or GF bitmap fonts, the routine is
-     'kpathsea_find_glyph', defined in 'tex-glyph.h'.  This returns a
+     ‘kpathsea_find_glyph’, defined in ‘tex-glyph.h’.  This returns a
      structure in addition to the resultant filename, because fonts can
      be found in so many ways.  See the documentation in the source.
 
-  8. To actually open a file, not just return a filename, call
-     'kpathsea_open_file'.  This function takes the name to look up and
-     a Kpathsea file format as arguments, and returns the usual 'FILE
-     *'.  It always assumes the file must exist, and thus will search
-     the disk if necessary (unless the search path specified '!!',
+  8. Before opening a file, especially for writing, you should check if
+     the filename is acceptable.  See the next section (*note Safe
+     filenames::).
+
+  9. To actually open a file, not just return a filename, call
+     ‘kpathsea_open_file’.  This function takes the name to look up and
+     a Kpathsea file format as arguments, and returns the usual ‘FILE
+     *’.  It always assumes the file must exist, and thus will search
+     the disk if necessary (unless the search path specified ‘!!’,
      etc.).  In other words, if you are looking up a VF or some other
      file that need not exist, don't use this.
 
-  9. TeX can write output files, via the '\openout' primitive.  This
-     opens a security vulnerability: an unwitting user could run a TeX
-     document that overwrites, say, '~/.profile'.  Analogous
-     vulnerabilities exist for almost any program that can write files,
-     but since users expect TeX to typeset documents, not overwrite
-     personal files, it's desirable to handle this.  To alleviate it,
-     there is a configuration variable 'openout_any', which selects one
-     of three levels of security:
-
-        * When set to 'a' (for "any"), no restrictions are imposed.
-
-        * When is set to 'r' (for "restricted"), filenames beginning
-          with '.' are disallowed (except '.tex', because LaTeX needs
-          it).
-
-        * When set to 'p' (for "paranoid"), additional restrictions are
-          imposed.  First, an absolute filename must refer to a file in
-          (or in a subdirectory of) either the 'TEXMF_OUTPUT_DIRECTORY'
-          environment variable or the 'TEXMFOUTPUT' environment variable
-          or configuration file setting.  Second, any attempt to go up a
-          directory level is forbidden; that is, paths may not contain a
-          '..' component.
-
-        * For backwards compatibility, 'y' and '1' are synonyms of 'a',
-          while 'n' and '0' are synonyms for 'r'.
-
-     The paranoid setting is the default.  Any program intended to be
-     safely called from TeX should implement the same measures, one way
-     or another.  *Note (web2c)Shell escapes::.
-
-     The function 'kpathsea_out_name_ok', with a filename as second
-     argument, returns 'true' if that filename is acceptable to be
-     opened for output or 'false' otherwise.  The Kpsewhich program has
-     options '--safe-in-name' and '--safe-out-name' to provide a command
-     line interface for the checking.
-
-  10. Similarly, the function 'kpathsea_in_name_ok', with a filename as
-     second argument, returns 'true' if that filename is acceptable to
-     be opend for input or 'false' otherwise, depending on the value of
-     the configuration variable 'openin_any' (with 'a' as default; too
-     many system directories are involved to make 'p' feasible).
-
-  11. To close the Kpathsea library instance you are using, call
-     'kpathsea_finish'.  This function closes any open log files and
+  10. To close the Kpathsea library instance you are using, call
+     ‘kpathsea_finish’.  This function closes any open log files and
      frees the memory used by the instance.
 
    Kpathsea also provides many utility routines.  Some are generic: hash
 tables, memory allocation, string concatenation and copying, string
 lists, reading input lines of arbitrary length, etc.  Others are
-filename-related: default path, tilde, and variable expansion, 'stat'
-calls, etc.  (Perhaps someday I'll move the former to a separate
-library.)
+filename-related: default path, tilde, and variable expansion, ‘stat’
+calls, etc.
 
-   The 'c-*.h' header files can also help your program adapt to many
+   The ‘c-*.h’ header files can also help your program adapt to many
 different systems.  You will almost certainly want to use Autoconf and
 probably Automake for configuring and building your software if you use
 Kpathsea; I strongly recommend using Autoconf and Automake regardless.
@@ -2546,9 +2559,90 @@
 They are available from <https://gnu.org/software>.
 
 
-File: kpathsea.info,  Node: Program-specific files,  Next: Programming with config files,  Prev: Calling sequence,  Up: Programming
+File: kpathsea.info,  Node: Safe filenames,  Next: Program-specific files,  Prev: Calling sequence,  Up: Programming
 
-7.3 Program-specific files
+7.3 Safe filenames
+==================
+
+*Note Security::, for some general security considerations with the TeX
+system.
+
+   In the implementation, the main security feature to disallow writing
+to potentially dangerous files is a configuration variable
+‘openout_any’.  It specifies one of three levels:
+
+   • When set to ‘a’ (for "any"), no restrictions are imposed.
+
+   • When is set to ‘r’ (for "restricted"), filenames beginning with ‘.’
+     are disallowed (except ‘.tex’, because LaTeX needs it).
+
+   • When set to ‘p’ (for "paranoid"), additional restrictions are
+     imposed.
+
+       1. First, an absolute filename must refer to a file in (or in a
+          subdirectory of) either the ‘TEXMF_OUTPUT_DIRECTORY’
+          environment variable or the ‘TEXMFOUTPUT’ environment variable
+          or configuration file setting.
+
+       2. LuaTeX uses a so-called "extended" mode, in which the values
+          of ‘TEXMFVAR’ and ‘TEXMFSYSVAR’ are also checked for absolute
+          filenames.  This is done because, in practice, fundamental
+          parts of the LuaLaTeX system (notably ‘luaotfload’) need a
+          cache directory, and historically the ‘TEXMF[SYS]VAR’
+          variables are what has been used.  We neither recommend nor
+          expect any other programs to need this.
+
+       3. Finally, any attempt to go up a directory level is forbidden;
+          that is, paths may not contain a ‘..’ component.
+
+   The paranoid setting is the default.  Any program intended to be
+safely called from TeX should implement the same measures, one way or
+another.  *Note (web2c)Shell escapes::.
+
+   Kpathsea does not resolve ‘..’ components, or symbolic links, to see
+if the final result is an acceptable directory; they are simply
+forbidden.  That is, Kpathsea merely considers the value as a string,
+not looking on the filesystem at all.  (However, if another program
+wants to do such resolutions and check the result, that's ok.)
+
+   For backwards compatibility, ‘y’ and ‘1’ are synonyms of ‘a’, while
+‘n’ and ‘0’ are synonyms for ‘r’.
+
+   The function ‘kpathsea_out_name_ok’, with a filename as second
+argument, returns ‘true’ if that filename is acceptable to be opened for
+output or ‘false’ otherwise.  The Kpsewhich program has an option
+(‘--safe-out-name’) providing a command line interface for the check.
+
+   For LuaTeX's extended mode, the function is
+‘kpathsea_out_name_ok_extended’, and the Kpsewhich option is
+‘--safe-extended-out-name’.
+
+   Similarly, the function ‘kpathsea_in_name_ok’ (resp. ‘_extended’,
+with a filename as second argument, returns ‘true’ if that filename is
+acceptable to be opend for input or ‘false’ otherwise, depending on the
+value of the configuration variable ‘openin_any’.  Unfortunately, for
+reading, ‘a’ is the default default; too many system directories and
+files get involved to make ‘r’ or ‘p’ feasible.
+
+   The functions above write a message to standard error if the usage is
+forbidden (so every caller does not have to do so).  Each function has a
+‘_silent’ counterpart which does not write the message; this is what
+Kpsewhich calls, since messages would be counterproductive in that case.
+Thus:
+
+     kpathsea_out_name_ok_silent
+     kpathsea_out_name_ok_silent_extended
+     kpathsea_in_name_ok_silent
+     kpathsea_in_name_ok_silent_extended
+
+   Sorry for the combinatorial explosion, but we hope no further options
+will ever be needed.  If so, we'll likely provide a more generic
+interface as well as the above.
+
+
+File: kpathsea.info,  Node: Program-specific files,  Next: Programming with config files,  Prev: Safe filenames,  Up: Programming
+
+7.4 Program-specific files
 ==========================
 
 Many programs will need to find some configuration files.  Kpathsea
@@ -2555,49 +2649,49 @@
 contains some support to make it easy to place them in their own
 directories.  The Standard TeX directory structure (*note Introduction:
 (tds)Top.), specifies that such files should go into a subdirectory
-named after the program, like 'texmf/ttf2pk'.
+named after the program, like ‘texmf/ttf2pk’.
 
-   Two formats, 'kpse_program_text_format' and
-'kpse_program_binary_format', use '.:$TEXMF/PROGRAM//' as their
+   Two formats, ‘kpse_program_text_format’ and
+‘kpse_program_binary_format’, use ‘.:$TEXMF/PROGRAM//’ as their
 compiled-in search path.  To override this default, you can use the
-variable 'PROGRAMINPUTS' in the environment and/or 'texmf.cnf'.  That is
+variable ‘PROGRAMINPUTS’ in the environment and/or ‘texmf.cnf’.  That is
 to say, the name of the variable is constructed by converting the name
-of the program to upper case, and appending 'INPUTS'.
+of the program to upper case, and appending ‘INPUTS’.
 
    The only difference between these two formats is whether
-'kpathsea_open_file' will open the files it finds in text or binary
+‘kpathsea_open_file’ will open the files it finds in text or binary
 mode.
 
 
 File: kpathsea.info,  Node: Programming with config files,  Prev: Program-specific files,  Up: Programming
 
-7.4 Programming with config files
+7.5 Programming with config files
 =================================
 
-You can (and probably should) use the same 'texmf.cnf' configuration
+You can (and probably should) use the same ‘texmf.cnf’ configuration
 file that Kpathsea uses for your program.  This helps installers by
 keeping all configuration in one place.
 
    To retrieve a value for a configuration variable VAR, the best way is
-to call 'kpathsea_var_value' on the string 'VAR'.  This will look first
+to call ‘kpathsea_var_value’ on the string ‘VAR’.  This will look first
 for an environment variable VAR, then a config file value.  The result
-will be the value found or 'NULL'.  This function is declared in
-'kpathsea/variable.h'.  For an example, see the 'shell_escape' code in
-'web2c/lib/texmfmp.c'.
+will be the value found or ‘NULL’.  This function is declared in
+‘kpathsea/variable.h’.  For an example, see the ‘shell_escape’ code in
+‘web2c/lib/texmfmp.c’.
 
    The routine to do full variable and tilde expansion of an arbitrary
 string in the context of a search path (as opposed to simply retrieving
-a value) is 'kpathsea_var_expand', also declared in
-'kpathsea/variable.h'.  However, it's generally only necessary to set
+a value) is ‘kpathsea_var_expand’, also declared in
+‘kpathsea/variable.h’.  However, it's generally only necessary to set
 the search path structure components as explained in the previous
 section instead of using this directly.  Because of its usage with any
-input string, undefined '$FOO' constructs in the argument to
-'kpathsea_var_expand' are returned literally ('"$FOO"'), while undefined
-'${FOO}' constructs are expanded to the empty string.
+input string, undefined ‘$FOO’ constructs in the argument to
+‘kpathsea_var_expand’ are returned literally (‘"$FOO"’), while undefined
+‘${FOO}’ constructs are expanded to the empty string.
 
    If for some reason you want to retrieve a value _only_ from a config
 file, not automatically looking for a corresponding environment
-variable, call 'kpathsea_cnf_get' (declared in 'kpathsea/cnf.h') with
+variable, call ‘kpathsea_cnf_get’ (declared in ‘kpathsea/cnf.h’) with
 the string VAR.
 
    No initialization calls are needed.
@@ -2638,53 +2732,53 @@
 information necessary for reproduction.  Therefore, to enable
 investigation, your report should include the following:
 
-   * The version number(s) of the program(s) involved, and of Kpathsea
-     itself.  You can get the former by giving a sole option '--version'
-     to the program, and the latter by running 'kpsewhich --version'.
-     The 'NEWS' and 'ChangeLog' files also contain the version number.
+   • The version number(s) of the program(s) involved, and of Kpathsea
+     itself.  You can get the former by giving a sole option ‘--version’
+     to the program, and the latter by running ‘kpsewhich --version’.
+     The ‘NEWS’ and ‘ChangeLog’ files also contain the version number.
 
-   * The hardware, operating system (including version), compiler, and
-     'make' program you are using (the output of 'uname -a' is a start
+   • The hardware, operating system (including version), compiler, and
+     ‘make’ program you are using (the output of ‘uname -a’ is a start
      on the first two, though incomplete).
 
-   * Any options you gave to 'configure'.  This is recorded in the
-     'config.status' files.
+   • Any options you gave to ‘configure’.  This is recorded in the
+     ‘config.status’ files.
 
-     If you are reporting a bug in 'configure' itself, it's probably
+     If you are reporting a bug in ‘configure’ itself, it's probably
      system-dependent, and it will be unlikely the maintainers can do
      anything useful if you merely report that thus-and-such is broken.
      Therefore, you need to do some additional work: for some bugs, you
-     can look in the file 'config.log' where the test that failed should
+     can look in the file ‘config.log’ where the test that failed should
      appear, along with the compiler invocation and source program in
      question.  You can then compile it yourself by hand, and discover
-     why the test failed.  Other 'configure' bugs do not involve the
+     why the test failed.  Other ‘configure’ bugs do not involve the
      compiler; in that case, the only recourse is to inspect the
-     'configure' shell script itself, or the Autoconf macros that
-     generated 'configure'.
+     ‘configure’ shell script itself, or the Autoconf macros that
+     generated ‘configure’.
 
-   * The log of all debugging output, if the bug is in path searching.
+   • The log of all debugging output, if the bug is in path searching.
      You can get this by setting the environment variable
-     'KPATHSEA_DEBUG' to '-1' before running the program.  Please look
+     ‘KPATHSEA_DEBUG’ to ‘-1’ before running the program.  Please look
      at the log yourself to make sure the behavior is really a bug
      before reporting it; perhaps "old" environment variable settings
      are causing files not to be found, for example.
 
-   * The contents of any input files necessary to reproduce the bug.
+   • The contents of any input files necessary to reproduce the bug.
      For bugs in DVI-reading programs, for example, this generally means
      a DVI file (and any EPS or other files it uses)--TeX source files
      are helpful, but the DVI file is required, because that's the
      actual program input.
 
-   * If you are sending a patch (do so if you can!), please do so in the
-     form of a context diff ('diff -c') against the original
+   • If you are sending a patch (do so if you can!), please do so in the
+     form of a context diff (‘diff -c’) against the original
      distribution source.  Any other form of diff is either not as
      complete or harder for me to understand.  Please also include a
-     'ChangeLog' entry.
+     ‘ChangeLog’ entry.
 
-   * If the bug involved is an actual crash (i.e., core dump), it is
+   • If the bug involved is an actual crash (i.e., core dump), it is
      easy and useful to include a stack trace from a debugger (I
      recommend the GNU debugger GDB (<https://gnu.org/software/gdb>).
-     If the cause is apparent (a 'NULL' value being dereferenced, for
+     If the cause is apparent (a ‘NULL’ value being dereferenced, for
      example), please send the details along.  If the program involved
      is TeX or Metafont, and the crash is happening at apparently-sound
      code, however, the bug may well be in the compiler, rather than in
@@ -2691,7 +2785,7 @@
      the program or the library (*note TeX or Metafont failing: TeX or
      Metafont failing.).
 
-   * Any additional information that will be helpful in reproducing,
+   • Any additional information that will be helpful in reproducing,
      diagnosing, or fixing the bug.
 
 
@@ -2724,19 +2818,19 @@
 expect aren't being found, the thing to do is enable these options and
 examine the output.
 
-   You can set these with some runtime argument (e.g., '-d') to the
+   You can set these with some runtime argument (e.g., ‘-d’) to the
 program; in that case, you should use the numeric values described in
 the program's documentation (which, for Dvipsk and Xdvik, are different
-than those below).  It's best to give the '-d' (or whatever) option
+than those below).  It's best to give the ‘-d’ (or whatever) option
 first, for maximal output.  Dvipsk and Xdvik have additional
 program-specific debugging options as well.
 
-   You can also set the environment variable 'KPATHSEA_DEBUG'; in this
+   You can also set the environment variable ‘KPATHSEA_DEBUG’; in this
 case, you should use the numbers below.  If you run the program under a
-debugger and set the instance variable 'kpse->debug', also use the
+debugger and set the instance variable ‘kpse->debug’, also use the
 numbers below.
 
-   In any case, by far the simplest value to use is '-1', which will
+   In any case, by far the simplest value to use is ‘-1’, which will
 turn on all debugging output.  This is usually better than guessing
 which particular values will yield the output you need.
 
@@ -2751,78 +2845,78 @@
 somebody's numbers.  (Sorry.)  To set more than one option, just sum the
 corresponding numbers.
 
-'KPSE_DEBUG_STAT (1)'
-     Report 'stat'(2) calls.  This is useful for verifying that your
+‘KPSE_DEBUG_STAT (1)’
+     Report ‘stat’(2) calls.  This is useful for verifying that your
      directory structure is not forcing Kpathsea to do many additional
      file tests (*note Slow path searching::, and *note Subdirectory
-     expansion::).  If you are using an up-to-date 'ls-R' database
+     expansion::).  If you are using an up-to-date ‘ls-R’ database
      (*note Filename database::), this should produce no output unless a
      nonexistent file that must exist is searched for.
 
-'KPSE_DEBUG_HASH (2)'
-     Report lookups in all hash tables: 'ls-R' and 'aliases' (*note
+‘KPSE_DEBUG_HASH (2)’
+     Report lookups in all hash tables: ‘ls-R’ and ‘aliases’ (*note
      Filename database::); font aliases (*note Fontmap::); and config
      file values (*note Config files::).  Useful when expected values
      are not being found, e.g.., file searches are looking at the disk
-     instead of using 'ls-R'.
+     instead of using ‘ls-R’.
 
-'KPSE_DEBUG_FOPEN (4)'
+‘KPSE_DEBUG_FOPEN (4)’
      Report file openings and closings.  Especially useful when your
      system's file table is full, for seeing which files have been
      opened but never closed.  In case you want to set breakpoints in a
-     debugger: this works by redefining 'fopen' ('fclose') to be
-     'kpse_fopen_trace' ('kpse_fclose_trace').
+     debugger: this works by redefining ‘fopen’ (‘fclose’) to be
+     ‘kpse_fopen_trace’ (‘kpse_fclose_trace’).
 
-'KPSE_DEBUG_PATHS (8)'
+‘KPSE_DEBUG_PATHS (8)’
      Report general path information for each file type Kpathsea is
      asked to search.  This is useful when you are trying to track down
-     how a particular path got defined--from 'texmf.cnf', 'config.ps',
+     how a particular path got defined--from ‘texmf.cnf’, ‘config.ps’,
      an environment variable, the compile-time default, etc.  This is
-     the contents of the 'kpse_format_info_type' structure defined in
-     'tex-file.h'.
+     the contents of the ‘kpse_format_info_type’ structure defined in
+     ‘tex-file.h’.
 
-'KPSE_DEBUG_EXPAND (16)'
+‘KPSE_DEBUG_EXPAND (16)’
      Report the directory list corresponding to each path element
      Kpathsea searches.  This is only relevant when Kpathsea searches
-     the disk, since 'ls-R' searches don't look through directory lists
+     the disk, since ‘ls-R’ searches don't look through directory lists
      in this way.
 
-'KPSE_DEBUG_SEARCH (32)'
+‘KPSE_DEBUG_SEARCH (32)’
      Report on each file search: the name of the file searched for, the
      path searched in, whether or not the file must exist (when drivers
-     search for 'cmr10.vf', it need not exist), and whether or not we
+     search for ‘cmr10.vf’, it need not exist), and whether or not we
      are collecting all occurrences of the file in the path (as with,
-     e.g., 'texmf.cnf' and 'texfonts.map'), or just the first (as with
+     e.g., ‘texmf.cnf’ and ‘texfonts.map’), or just the first (as with
      most lookups).  This can help you correlate what Kpathsea is doing
      with what is in your input file.
 
-'KPSE_DEBUG_VARS (64)'
+‘KPSE_DEBUG_VARS (64)’
      Report the value of each variable Kpathsea looks up.  This is
      useful for verifying that variables do indeed obtain their correct
      values.
 
-'GSFTOPK_DEBUG (128)'
-     Activates debugging printout specific to 'gsftopk' program.
+‘GSFTOPK_DEBUG (128)’
+     Activates debugging printout specific to ‘gsftopk’ program.
 
-'MAKETEX_DEBUG (512)'
-     If you use the optional 'mktex' programs instead of the traditional
+‘MAKETEX_DEBUG (512)’
+     If you use the optional ‘mktex’ programs instead of the traditional
      shell scripts, this will report the name of the site file
-     ('mktex.cnf' by default) which is read, directories created by
-     'mktexdir', the full path of the 'ls-R' database built by
-     'mktexlsr', font map searches, 'MT_FEATURES' in effect, parameters
-     from 'mktexnam', filenames added by 'mktexupd', and some subsidiary
+     (‘mktex.cnf’ by default) which is read, directories created by
+     ‘mktexdir’, the full path of the ‘ls-R’ database built by
+     ‘mktexlsr’, font map searches, ‘MT_FEATURES’ in effect, parameters
+     from ‘mktexnam’, filenames added by ‘mktexupd’, and some subsidiary
      commands run by the programs.
 
-'MAKETEX_FINE_DEBUG (1024)'
-     When the optional 'mktex' programs are used, this will print
+‘MAKETEX_FINE_DEBUG (1024)’
+     When the optional ‘mktex’ programs are used, this will print
      additional debugging info from functions internal to these
      programs.
 
    Debugging output from Kpathsea is always written to standard error,
-and begins with the string 'kdebug:'.  (Except for hash table buckets,
+and begins with the string ‘kdebug:’.  (Except for hash table buckets,
 which just start with the number, but you can only get that output
-running under a debugger.  See comments at the 'hash_summary_only'
-variable in 'kpathsea/db.c'.)
+running under a debugger.  See comments at the ‘hash_summary_only’
+variable in ‘kpathsea/db.c’.)
 
 
 File: kpathsea.info,  Node: Logging,  Next: Common problems,  Prev: Debugging,  Up: Reporting bugs
@@ -2835,7 +2929,7 @@
 your filesystem is full, or in discovering usage patterns at your site.
 
    To do this, define the environment or config file variable
-'TEXMFLOG'.  The value is the name of the file to append the information
+‘TEXMFLOG’.  The value is the name of the file to append the information
 to.  The file is created if it doesn't exist, and appended to if it
 does.
 
@@ -2842,11 +2936,11 @@
    Each successful search turns into one line in the log file: two words
 separated by a space.  The first word is the time of the search, as the
 integer number of seconds since "the epoch", i.e., UTC midnight 1
-January 1970 (more precisely, the result of the 'time' system call).
+January 1970 (more precisely, the result of the ‘time’ system call).
 The second word is the filename.
 
-   For example, after 'setenv TEXMFLOG /tmp/log', running Dvips on
-'story.dvi' appends the following lines:
+   For example, after ‘setenv TEXMFLOG /tmp/log’, running Dvips on
+‘story.dvi’ appends the following lines:
 
      774455887 /usr/local/share/texmf/dvips/config.ps
      774455887 /usr/local/share/texmf/dvips/psfonts.map
@@ -2859,13 +2953,13 @@
 Only filenames that are absolute are recorded, to preserve some
 semblance of privacy.
 
-   In addition to this Kpathsea-specific logging, 'pdftex' provides an
-option '-recorder' to write the names of all files accessed during a run
-to the file 'BASEFILE.fls'.
+   In addition to this Kpathsea-specific logging, ‘pdftex’ provides an
+option ‘-recorder’ to write the names of all files accessed during a run
+to the file ‘BASEFILE.fls’.
 
    Finally, most systems provide a general tool to output each system
 call, thus including opening and closing files.  It might be named
-'strace', 'truss', 'struss', or something else.
+‘strace’, ‘truss’, ‘struss’, or something else.
 
 
 File: kpathsea.info,  Node: Common problems,  Prev: Logging,  Up: Reporting bugs
@@ -2893,19 +2987,19 @@
 of several things might be wrong.  In any case, you may find the
 debugging options helpful.  *Note Debugging::.
 
-   * Perhaps you simply haven't installed all the necessary files; the
+   • Perhaps you simply haven't installed all the necessary files; the
      basic fonts and input files are distributed separately from the
      programs.  *Note unixtex.ftp::.
 
-   * You have (perhaps unknowingly) told Kpathsea to use search paths
+   • You have (perhaps unknowingly) told Kpathsea to use search paths
      that don't reflect where the files actually are.  One common cause
      is having environment variables set from a previous installation,
-     thus overriding what you carefully set in 'texmf.cnf' (*note
-     Supported file formats::).  System '/etc/profile' or other files
+     thus overriding what you carefully set in ‘texmf.cnf’ (*note
+     Supported file formats::).  System ‘/etc/profile’ or other files
      such may be the culprit.
 
-   * Your files reside in a directory that is only pointed to via a
-     symbolic link, in a leaf directory and is not listed in 'ls-R'.
+   • Your files reside in a directory that is only pointed to via a
+     symbolic link, in a leaf directory and is not listed in ‘ls-R’.
 
      Unfortunately, Kpathsea's subdirectory searching has an
      irremediable deficiency: If a directory D being searched for
@@ -2918,21 +3012,21 @@
      subdirectory in D.  Then D will no longer be a leaf, and the
      symlinks will be followed.
 
-     The directory immediately followed by the '//' in the path
+     The directory immediately followed by the ‘//’ in the path
      specification, however, is always searched for subdirectories, even
      if it is a leaf.  Presumably you would not have asked for the
      directory to be searched for subdirectories if you didn't want it
      to be.
 
-   * If the fonts (or whatever) don't already exist, 'mktexpk' (or
-     'mktexmf' or 'mktextfm') will try to create them.  If these rather
+   • If the fonts (or whatever) don't already exist, ‘mktexpk’ (or
+     ‘mktexmf’ or ‘mktextfm’) will try to create them.  If these rather
      complicated shell scripts fail, you'll eventually get an error
-     message saying something like 'Can't find font FONTNAME'.  The best
-     solution is to fix (or at least report) the bug in 'mktexpk'; the
+     message saying something like ‘Can't find font FONTNAME’.  The best
+     solution is to fix (or at least report) the bug in ‘mktexpk’; the
      workaround is to generate the necessary fonts by hand with
      Metafont, or to grab them from a CTAN site (*note unixtex.ftp::).
 
-   * There is a bug in the library.  *Note Reporting bugs::.
+   • There is a bug in the library.  *Note Reporting bugs::.
 
 
 File: kpathsea.info,  Node: Slow path searching,  Next: Unable to generate fonts,  Prev: Unable to find files,  Up: Common problems
@@ -2944,19 +3038,19 @@
 input files, but does eventually succeed, here are some possible
 culprits:
 
-   * Most likely, you just have a lot of directories to search, and that
+   • Most likely, you just have a lot of directories to search, and that
      takes a noticeable time.  The solution is to create and maintain a
-     separate 'ls-R' file that lists all the files in your main TeX
-     hierarchy.  *Note Filename database::.  Kpathsea always uses 'ls-R'
+     separate ‘ls-R’ file that lists all the files in your main TeX
+     hierarchy.  *Note Filename database::.  Kpathsea always uses ‘ls-R’
      if it's present; there's no need to recompile or reconfigure any of
      the programs.
 
-   * Your recursively-searched directories (e.g.,
-     '/usr/local/share/texmf/fonts//'), contain a mixture of files and
+   • Your recursively-searched directories (e.g.,
+     ‘/usr/local/share/texmf/fonts//’), contain a mixture of files and
      directories.  This prevents Kpathsea from using a useful
      optimization (*note Subdirectory expansion::).
 
-     It is best to have only directories (and perhaps a 'README') in the
+     It is best to have only directories (and perhaps a ‘README’) in the
      upper levels of the directory structure, and it's very important to
      have _only_ files, and no subdirectories, in the leaf directories
      where the dozens of TFM, PK, or whatever files reside.
@@ -2977,17 +3071,17 @@
 generate these on the fly when they are needed, but this generation may
 fail in several cases.
 
-   If 'mktexpk' runs, but fails with this error:
+   If ‘mktexpk’ runs, but fails with this error:
      mktexpk: Can't guess mode for NNN dpi devices.
      mktexpk: Use a config file to specify the mode, or update me.
    you need to ensure the resolution and mode match; just specifying the
-resolution, as in '-D 360', is not enough.
+resolution, as in ‘-D 360’, is not enough.
 
-   You can specify the mode name with the '-mode' option on the Dvips
+   You can specify the mode name with the ‘-mode’ option on the Dvips
 command line, or in a Dvips configuration file (*note (dvips)Config
-files::), such as 'config.ps' in your document directory, '~/.dvipsrc'
+files::), such as ‘config.ps’ in your document directory, ‘~/.dvipsrc’
 in your home directory, or in a system directory (again named
-'config.ps').  (Other drivers use other files, naturally.)
+‘config.ps’).  (Other drivers use other files, naturally.)
 
    For example, if you need 360dpi fonts, you could include this in a
 configuration file:
@@ -2995,7 +3089,7 @@
      M lqmed
 
    If Metafont runs, but generates fonts at the wrong resolution or for
-the wrong device, most likely 'mktexpk''s built-in guess for the mode is
+the wrong device, most likely ‘mktexpk’'s built-in guess for the mode is
 wrong, and you should override it as above.
 
    See <https://ctan.org/pkg/modes> for a list of resolutions and mode
@@ -3005,18 +3099,18 @@
 prints out the name of each character as well as just a character
 number, and maybe tries to display the characters), then your Metafont
 base file probably hasn't been made properly.  (It's using the default
-'proof' mode, instead of an actual device mode.)  To make a proper
-'plain.base', assuming the local mode definitions are contained in a
-file 'modes.mf', run the following command (assuming Unix):
+‘proof’ mode, instead of an actual device mode.)  To make a proper
+‘plain.base’, assuming the local mode definitions are contained in a
+file ‘modes.mf’, run the following command (assuming Unix):
 
      inimf "plain; input modes; dump"
 
-Then copy the 'plain.base' file from the current directory to where the
-base files are stored on your system ('/usr/local/share/texmf/web2c' by
-default), and make a link (either hard or soft) from 'plain.base' to
-'mf.base' in that directory.  *Note (web2c)inimf invocation::.
+Then copy the ‘plain.base’ file from the current directory to where the
+base files are stored on your system (‘/usr/local/share/texmf/web2c’ by
+default), and make a link (either hard or soft) from ‘plain.base’ to
+‘mf.base’ in that directory.  *Note (web2c)inimf invocation::.
 
-   If 'mf' is a command not found at all by 'mktexpk', then you need to
+   If ‘mf’ is a command not found at all by ‘mktexpk’, then you need to
 install Metafont (*note unixtex.ftp::).
 
 
@@ -3054,11 +3148,6 @@
  [index ]
 * Menu:
 
-* !! and casefolding:                    Casefolding examples.
-                                                              (line  57)
-* !! in path specifications:             ls-R.                (line  57)
-* !! in TEXMFDBS:                        ls-R.                (line  11)
-* $ expansion:                           Variable expansion.  (line   6)
 * --all:                                 Path searching options.
                                                               (line  12)
 * --casefold-search:                     Path searching options.
@@ -3095,13 +3184,15 @@
                                                               (line 173)
 * --progname=NAME:                       Path searching options.
                                                               (line 181)
-* --safe-in-name=NAME:                   Auxiliary tasks.     (line  48)
-* --safe-out-name=NAME:                  Auxiliary tasks.     (line  48)
-* --show-path=NAME:                      Auxiliary tasks.     (line  54)
+* --safe-extended-in-name=NAME:          Auxiliary tasks.     (line  48)
+* --safe-extended-out-name=NAME:         Auxiliary tasks.     (line  48)
+* --safe-in-name=NAME:                   Auxiliary tasks.     (line  54)
+* --safe-out-name=NAME:                  Auxiliary tasks.     (line  54)
+* --show-path=NAME:                      Auxiliary tasks.     (line  60)
 * --subdir=STRING:                       Path searching options.
                                                               (line 186)
-* --var-brace-value=VARIABLE:            Auxiliary tasks.     (line  60)
-* --var-value=VARIABLE:                  Auxiliary tasks.     (line  74)
+* --var-brace-value=VARIABLE:            Auxiliary tasks.     (line  66)
+* --var-value=VARIABLE:                  Auxiliary tasks.     (line  80)
 * --version:                             Standard options.    (line  11)
 * --with-mktextex-default:               mktex configuration. (line  12)
 * --without-mktexfmt-default:            mktex configuration. (line  12)
@@ -3117,6 +3208,13 @@
 * -iname, find predicate:                Casefolding examples.
                                                               (line  78)
 * -L option to ls:                       ls-R.                (line  44)
+* ; translated to : in texmf.cnf:        Config files.        (line  66)
+* : may not be ::                        Searching overview.  (line  13)
+* :: expansion:                          Default expansion.   (line   6)
+* !! and casefolding:                    Casefolding examples.
+                                                              (line  57)
+* !! in path specifications:             ls-R.                (line  57)
+* !! in TEXMFDBS:                        ls-R.                (line  11)
 * . directories, ignored:                ls-R.                (line  39)
 * . files:                               ls-R.                (line  39)
 * .2602gf:                               Unable to generate fonts.
@@ -3201,8 +3299,8 @@
                                                               (line 199)
 * .pro:                                  Supported file formats.
                                                               (line 173)
+* .profile, (un)writable by TeX:         Security.            (line  16)
 * .PROGNAME qualifier in texmf.cnf:      Config files.        (line  50)
-* .rhosts, writable by TeX:              Security.            (line  10)
 * .ris:                                  Supported file formats.
                                                               (line 177)
 * .sfd:                                  Supported file formats.
@@ -3232,6 +3330,7 @@
                                                               (line  53)
 * .web <1>:                              Supported file formats.
                                                               (line 227)
+* { expansion:                           Brace expansion.     (line   6)
 * / may not be /:                        Searching overview.  (line  13)
 * /, trailing in home directory:         Tilde expansion.     (line  19)
 * //:                                    Subdirectory expansion.
@@ -3240,19 +3339,17 @@
                                                               (line  14)
 * /etc/profile and aliases:              ls-R.                (line  25)
 * /var/tmp/texfonts:                     mktex configuration. (line 113)
-* 2602gf:                                Unable to generate fonts.
-                                                              (line  36)
-* 8.3 filenames, using:                  mktex configuration. (line  68)
-* : may not be ::                        Searching overview.  (line  13)
-* :: expansion:                          Default expansion.   (line   6)
-* ; translated to : in texmf.cnf:        Config files.        (line  66)
-* = omitted in texmf.cnf and misparsing: Config files.        (line  86)
 * \, line continuation in texmf.cnf:     Config files.        (line  37)
 * \openin:                               Searching overview.  (line  31)
+* \openout:                              Security.            (line  16)
 * \special, suppressing warnings about:  Suppressing warnings.
                                                               (line  31)
-* { expansion:                           Brace expansion.     (line   6)
+* = omitted in texmf.cnf and misparsing: Config files.        (line  86)
 * ~ expansion:                           Tilde expansion.     (line   6)
+* $ expansion:                           Variable expansion.  (line   6)
+* 2602gf:                                Unable to generate fonts.
+                                                              (line  36)
+* 8.3 filenames, using:                  mktex configuration. (line  68)
 * absolute filenames:                    Searching overview.  (line  58)
 * access system call:                    Casefolding examples.
                                                               (line  86)
@@ -3270,7 +3367,8 @@
 * announcement mailing list:             Mailing lists.       (line   6)
 * API, re-entrant:                       Programming overview.
                                                               (line  16)
-* append-only directories and mktexpk:   Security.            (line  36)
+* append-only directories and mktexpk:   Global font cache and security.
+                                                              (line  19)
 * appendonlydir:                         mktex configuration. (line  60)
 * Apple filesystem, case-insensitive:    Casefolding rationale.
                                                               (line   6)
@@ -3277,7 +3375,7 @@
 * arguments to mktex:                    mktex script arguments.
                                                               (line   6)
 * argv[0]:                               Calling sequence.    (line  14)
-* autoconf, recommended:                 Calling sequence.    (line 135)
+* autoconf, recommended:                 Calling sequence.    (line  97)
 * automounter, and ls-R:                 ls-R.                (line  46)
 * auxiliary tasks:                       Auxiliary tasks.     (line   6)
 * Bach, Johann Sebastian:                Default expansion.   (line  41)
@@ -3301,10 +3399,11 @@
 * bug checklist:                         Bug checklist.       (line   6)
 * bug mailing list:                      Mailing lists.       (line   6)
 * bugs, reporting:                       Reporting bugs.      (line   6)
-* c-*.h:                                 Calling sequence.    (line 135)
+* c-*.h:                                 Calling sequence.    (line  97)
 * c-auto.h:                              Programming overview.
                                                               (line  35)
-* cache of fonts, local:                 Security.            (line  22)
+* cache of fonts, local:                 Global font cache and security.
+                                                              (line   6)
 * calling sequence:                      Calling sequence.    (line   6)
 * casefolding examples:                  Casefolding examples.
                                                               (line   6)
@@ -3357,6 +3456,7 @@
 * context diff:                          Bug checklist.       (line  52)
 * continuation character:                Config files.        (line  37)
 * core dumps, reporting:                 Bug checklist.       (line  58)
+* crashes of TeX and security:           Security.            (line  43)
 * crashes, reporting:                    Bug checklist.       (line  58)
 * CWEBINPUTS:                            Supported file formats.
                                                               (line  53)
@@ -3374,7 +3474,8 @@
 * device, wrong:                         Unable to generate fonts.
                                                               (line  29)
 * directories, making append-only:       mktex configuration. (line  61)
-* directory permissions:                 Security.            (line  51)
+* directory permissions:                 Global font cache and security.
+                                                              (line  34)
 * directory structure, for TeX files:    TeX directory structure.
                                                               (line   6)
 * disabling mktex scripts:               mktex configuration. (line   6)
@@ -3442,7 +3543,8 @@
 * file formats, supported:               Supported file formats.
                                                               (line   6)
 * file lookup:                           File lookup.         (line   6)
-* file permissions:                      Security.            (line  47)
+* file permissions:                      Global font cache and security.
+                                                              (line  30)
 * file types, registering new:           Programming overview.
                                                               (line  41)
 * filename aliases:                      Filename aliases.    (line   6)
@@ -3489,7 +3591,8 @@
                                                               (line  75)
 * GFFONTS:                               Supported file formats.
                                                               (line  75)
-* globally writable directories:         Security.            (line  30)
+* globally writable directories:         Global font cache and security.
+                                                              (line  13)
 * glyph lookup:                          Glyph lookup.        (line   6)
 * glyph lookup bitmap tolerance:         Basic glyph lookup.  (line  15)
 * GLYPHFONTS:                            Supported file formats.
@@ -3501,10 +3604,11 @@
 * GNU C compiler bugs:                   TeX or Metafont failing.
                                                               (line  16)
 * GNU General Public License:            Introduction.        (line  32)
-* group-writable directories:            Security.            (line  40)
+* group-writable directories:            Global font cache and security.
+                                                              (line  23)
 * GSFTOPK_DEBUG (128):                   Debugging.           (line  88)
 * hash table buckets, printing:          Debugging.           (line 105)
-* hash table routines:                   Calling sequence.    (line 128)
+* hash table routines:                   Calling sequence.    (line  91)
 * hash_summary_only variable for debugging: Debugging.        (line 105)
 * history of Kpathsea:                   History.             (line   6)
 * Hoekwater, Taco:                       History.             (line  78)
@@ -3514,7 +3618,7 @@
 * include fontmap directive:             Fontmap.             (line  36)
 * INDEXSTYLE:                            Supported file formats.
                                                               (line  84)
-* input lines, reading:                  Calling sequence.    (line 128)
+* input lines, reading:                  Calling sequence.    (line  91)
 * interactive query:                     Path searching options.
                                                               (line 152)
 * interface, not frozen:                 Introduction.        (line  29)
@@ -3524,35 +3628,34 @@
 * Knuth, Donald E.:                      History.             (line   6)
 * Knuth, Donald E., archive of programs by: unixtex.ftp.      (line  20)
 * Kpathsea config file, source for path: Path sources.        (line  20)
-* kpathsea.h:                            Programming overview.
-                                                              (line  26)
 * kpathsea_cnf_get:                      Programming with config files.
                                                               (line  27)
 * KPATHSEA_DEBUG:                        Calling sequence.    (line  28)
 * KPATHSEA_DEBUG <1>:                    Debugging.           (line  18)
-* kpathsea_find_file:                    File lookup.         (line  38)
-* kpathsea_find_file <1>:                Calling sequence.    (line  62)
+* kpathsea_find_file:                    File lookup.         (line  37)
+* kpathsea_find_file <1>:                Calling sequence.    (line  63)
 * kpathsea_find_glyph:                   Glyph lookup.        (line  26)
-* kpathsea_finish:                       Calling sequence.    (line 124)
+* kpathsea_find_glyph <1>:               Calling sequence.    (line  70)
+* kpathsea_finish:                       Calling sequence.    (line  87)
+* kpathsea_in_name_ok:                   Safe filenames.      (line  59)
+* kpathsea_in_name_ok_extended:          Safe filenames.      (line  59)
+* kpathsea_in_name_ok_silent:            Safe filenames.      (line  72)
+* kpathsea_in_name_ok_silent_extended:   Safe filenames.      (line  72)
 * kpathsea_init_prog:                    Fallback font.       (line  15)
 * kpathsea_init_prog <1>:                Calling sequence.    (line  53)
-* kpathsea_in_name_ok:                   Calling sequence.    (line 118)
 * kpathsea_new:                          Calling sequence.    (line   9)
-* kpathsea_open_file:                    Calling sequence.    (line  74)
-* kpathsea_out_name_ok:                  Calling sequence.    (line  82)
+* kpathsea_open_file:                    Calling sequence.    (line  79)
+* kpathsea_out_name_ok:                  Safe filenames.      (line  50)
+* kpathsea_out_name_ok_extended:         Safe filenames.      (line  55)
+* kpathsea_out_name_ok_silent:           Safe filenames.      (line  72)
+* kpathsea_out_name_ok_silent_extended:  Safe filenames.      (line  72)
 * kpathsea_set_program_name:             Calling sequence.    (line  14)
 * kpathsea_var_value:                    Programming with config files.
                                                               (line  10)
 * KPATHSEA_WARNING:                      Config files.        (line  18)
-* kpse->debug:                           Debugging.           (line   6)
-* kpse->debug <1>:                       Debugging.           (line  18)
-* kpse->debug variable:                  Calling sequence.    (line  39)
-* kpse->format_info:                     Calling sequence.    (line  47)
-* kpse->invocation_name:                 Calling sequence.    (line  22)
-* kpse->invocation_short_name:           Calling sequence.    (line  22)
-* kpse->program_name:                    Calling sequence.    (line  22)
-* kpsewhich:                             Invoking kpsewhich.  (line   6)
-* Kpsewhich, and debugging:              Debugging.           (line  31)
+* kpathsea.h:                            Programming overview.
+                                                              (line  26)
+* kpse mode of LuaTeX:                   Security.            (line  32)
 * KPSE_BITMAP_TOLERANCE:                 Basic glyph lookup.  (line  15)
 * KPSE_DEBUG_EXPAND (16):                Debugging.           (line  68)
 * KPSE_DEBUG_FOPEN (4):                  Debugging.           (line  53)
@@ -3563,6 +3666,15 @@
 * KPSE_DEBUG_VARS (64):                  Debugging.           (line  83)
 * KPSE_DOT expansion:                    KPSE_DOT expansion.  (line   6)
 * kpse_format_info_type:                 Debugging.           (line  61)
+* kpse->debug:                           Debugging.           (line   6)
+* kpse->debug <1>:                       Debugging.           (line  18)
+* kpse->debug variable:                  Calling sequence.    (line  39)
+* kpse->format_info:                     Calling sequence.    (line  47)
+* kpse->invocation_name:                 Calling sequence.    (line  22)
+* kpse->invocation_short_name:           Calling sequence.    (line  22)
+* kpse->program_name:                    Calling sequence.    (line  22)
+* kpsewhich:                             Invoking kpsewhich.  (line   6)
+* Kpsewhich, and debugging:              Debugging.           (line  31)
 * last-resort font:                      Fallback font.       (line   6)
 * lcircle10:                             Fontmap.             (line  19)
 * leading colons:                        Default expansion.   (line   6)
@@ -3573,9 +3685,10 @@
 * license for using the library:         Introduction.        (line  32)
 * LIGFONTS:                              Supported file formats.
                                                               (line  88)
-* lines, reading arbitrary-length:       Calling sequence.    (line 128)
+* lines, reading arbitrary-length:       Calling sequence.    (line  91)
 * Linux File System Standard:            mktex configuration. (line 113)
-* local cache of fonts:                  Security.            (line  22)
+* local cache of fonts:                  Global font cache and security.
+                                                              (line   6)
 * log file:                              Logging.             (line   6)
 * logging successful searches:           Logging.             (line   6)
 * lost+found directory:                  Searching overview.  (line  63)
@@ -3587,6 +3700,8 @@
 * ls-R, simplest build:                  ls-R.                (line  22)
 * LUAINPUTS:                             Supported file formats.
                                                               (line  94)
+* luaotfload:                            Safe filenames.      (line  26)
+* LuaTeX and security:                   Security.            (line  32)
 * Mac filesystem, case-insensitive:      Casefolding rationale.
                                                               (line   6)
 * MacKenzie, David:                      History.             (line  44)
@@ -3596,7 +3711,7 @@
 * mailing lists:                         Mailing lists.       (line   6)
 * MAKETEX_DEBUG (512):                   Debugging.           (line  91)
 * MAKETEX_FINE_DEBUG (1024):             Debugging.           (line 100)
-* memory allocation routines:            Calling sequence.    (line 128)
+* memory allocation routines:            Calling sequence.    (line  91)
 * metafont driver files:                 mktex configuration. (line  93)
 * Metafont failures:                     TeX or Metafont failing.
                                                               (line   6)
@@ -3618,8 +3733,8 @@
                                                               (line 121)
 * mismatched checksum warnings:          Suppressing warnings.
                                                               (line  17)
+* MISSFONT_LOG:                          mktex script names.  (line  45)
 * missfont.log:                          mktex script names.  (line  35)
-* MISSFONT_LOG:                          mktex script names.  (line  45)
 * missing character warnings:            Suppressing warnings.
                                                               (line  20)
 * mkocp:                                 mktex script names.  (line  18)
@@ -3673,7 +3788,7 @@
                                                               (line 145)
 * online Metafont display, spurious:     Unable to generate fonts.
                                                               (line  36)
-* openout_any:                           Calling sequence.    (line  82)
+* openout_any:                           Safe filenames.      (line   6)
 * OPENTYPEFONTS:                         Supported file formats.
                                                               (line 149)
 * optimization caveat:                   TeX or Metafont failing.
@@ -3688,7 +3803,7 @@
                                                               (line 158)
 * OVPFONTS:                              Supported file formats.
                                                               (line 161)
-* paranoid mode, for output files:       Calling sequence.    (line  97)
+* paranoid mode, for output files:       Safe filenames.      (line  18)
 * path expansion:                        Path expansion.      (line   6)
 * path searching:                        Path searching.      (line   6)
 * path searching options:                Path searching options.
@@ -3708,8 +3823,10 @@
 * pdftexconfig.tex:                      Specially-recognized files.
                                                               (line  34)
 * permission denied:                     Searching overview.  (line  63)
-* permissions, directory:                Security.            (line  51)
-* permissions, file:                     Security.            (line  47)
+* permissions, directory:                Global font cache and security.
+                                                              (line  34)
+* permissions, file:                     Global font cache and security.
+                                                              (line  30)
 * PKFONTS:                               Supported file formats.
                                                               (line 168)
 * plain.base:                            Unable to generate fonts.
@@ -3737,7 +3854,7 @@
                                                               (line  16)
 * readable:                              Suppressing warnings.
                                                               (line  26)
-* reading arbitrary-length lines:        Calling sequence.    (line 128)
+* reading arbitrary-length lines:        Calling sequence.    (line  91)
 * recording successful searches:         Logging.             (line   6)
 * relative filenames:                    Searching overview.  (line  58)
 * reporting bugs:                        Reporting bugs.      (line   6)
@@ -3745,7 +3862,7 @@
 * resolution, setting:                   Path searching options.
                                                               (line  49)
 * resolutions, last-resort:              Fallback font.       (line   6)
-* restricted mode, for output files:     Calling sequence.    (line  93)
+* restricted mode, for output files:     Safe filenames.      (line  15)
 * retrieving TeX:                        unixtex.ftp.         (line   6)
 * right-hand side of variable assignments: Config files.      (line  57)
 * RISINPUTS:                             Supported file formats.
@@ -3768,9 +3885,11 @@
 * SELFAUTOLOC:                           Calling sequence.    (line  31)
 * SELFAUTOPARENT:                        Calling sequence.    (line  31)
 * sending patches:                       Bug checklist.       (line  52)
-* setgid scripts:                        Security.            (line  40)
+* setgid scripts:                        Global font cache and security.
+                                                              (line  23)
 * SFDFONTS:                              Supported file formats.
                                                               (line 181)
+* shell commands, security:              Security.            (line  23)
 * shell variables:                       Variable expansion.  (line  17)
 * shell_escape, example for code:        Programming with config files.
                                                               (line  10)
@@ -3783,19 +3902,19 @@
 * sources for search paths:              Path sources.        (line   6)
 * special:                               Suppressing warnings.
                                                               (line  30)
+* st_nlink:                              Subdirectory expansion.
+                                                              (line  26)
+* ST_NLINK_TRICK:                        Subdirectory expansion.
+                                                              (line  38)
 * stack trace:                           Bug checklist.       (line  58)
 * standalone path searching:             Invoking kpsewhich.  (line   6)
 * standard error and debugging output:   Debugging.           (line  27)
 * standard options:                      Standard options.    (line   6)
 * startup time, excessive:               Slow path searching. (line   6)
-* string routines:                       Calling sequence.    (line 128)
+* string routines:                       Calling sequence.    (line  91)
 * strip:                                 mktex configuration. (line 107)
 * stripsupplier:                         mktex configuration. (line 101)
 * striptypeface:                         mktex configuration. (line 104)
-* st_nlink:                              Subdirectory expansion.
-                                                              (line  26)
-* ST_NLINK_TRICK:                        Subdirectory expansion.
-                                                              (line  38)
 * subdirectory searching:                Subdirectory expansion.
                                                               (line   6)
 * suffixes, filename:                    File lookup.         (line  24)
@@ -3834,8 +3953,11 @@
 * TeX file lookup:                       File lookup.         (line   6)
 * TeX glyph lookup:                      Glyph lookup.        (line   6)
 * TeX support:                           TeX support.         (line   6)
-* TeX Users Group:                       Introduction.        (line  43)
-* tex-file.c:                            File lookup.         (line  38)
+* TeX Users Group:                       Introduction.        (line  42)
+* TEX_HUSH:                              Searching overview.  (line  63)
+* TEX_HUSH <1>:                          Suppressing warnings.
+                                                              (line   6)
+* tex-file.c:                            File lookup.         (line  37)
 * tex-file.h:                            Programming overview.
                                                               (line  26)
 * tex-glyph.c:                           Glyph lookup.        (line  26)
@@ -3873,6 +3995,11 @@
                                                               (line 184)
 * TEXMF:                                 TeX directory structure.
                                                               (line   6)
+* texmf_casefold_search:                 Casefolding search.  (line  12)
+* TEXMF_OUTPUT_DIRECTORY, and missfont.log: mktex script names.
+                                                              (line  39)
+* TEXMF_OUTPUT_DIRECTORY, and paranoid output files: Safe filenames.
+                                                              (line  21)
 * texmf.cnf:                             Specially-recognized files.
                                                               (line  38)
 * texmf.cnf missing, warning about:      Config files.        (line  18)
@@ -3893,16 +4020,13 @@
                                                               (line 101)
 * TEXMFLOG:                              Logging.             (line  10)
 * TEXMFOUTPUT, and missfont.log:         mktex script names.  (line  39)
-* TEXMFOUTPUT, and paranoid output files: Calling sequence.   (line  97)
+* TEXMFOUTPUT, and paranoid output files: Safe filenames.     (line  21)
 * TEXMFSCRIPTS:                          Supported file formats.
                                                               (line 195)
+* TEXMFSYSVAR:                           Safe filenames.      (line  26)
 * texmfvar:                              mktex configuration. (line 122)
 * TEXMFVAR:                              mktex configuration. (line 123)
-* texmf_casefold_search:                 Casefolding search.  (line  12)
-* TEXMF_OUTPUT_DIRECTORY, and missfont.log: mktex script names.
-                                                              (line  39)
-* TEXMF_OUTPUT_DIRECTORY, and paranoid output files: Calling sequence.
-                                                              (line  97)
+* TEXMFVAR <1>:                          Safe filenames.      (line  26)
 * TEXPICTS:                              Supported file formats.
                                                               (line  79)
 * TEXPKS:                                Supported file formats.
@@ -3916,9 +4040,6 @@
 * TEXSIZES:                              Fallback font.       (line   6)
 * TEXSOURCES:                            Supported file formats.
                                                               (line 192)
-* TEX_HUSH:                              Searching overview.  (line  63)
-* TEX_HUSH <1>:                          Suppressing warnings.
-                                                              (line   6)
 * TFMFONTS:                              Supported file formats.
                                                               (line 203)
 * tilde expansion:                       Tilde expansion.     (line   6)
@@ -3933,7 +4054,8 @@
                                                               (line 207)
 * trick for detecting leaf directories:  Subdirectory expansion.
                                                               (line  22)
-* trojan horse attack:                   Security.            (line  10)
+* trojan horse:                          Safe filenames.      (line   6)
+* trojan horse attack:                   Security.            (line  16)
 * try_std_extension_first:               File lookup.         (line  24)
 * TTFONTS:                               Supported file formats.
                                                               (line 211)
@@ -3951,12 +4073,12 @@
 * unreadable file warnings:              Suppressing warnings.
                                                               (line  27)
 * unreadable files:                      Searching overview.  (line  63)
-* unrestricted mode, for output files:   Calling sequence.    (line  91)
+* unrestricted mode, for output files:   Safe filenames.      (line  13)
 * unusable ls-R warning:                 ls-R.                (line  51)
 * usage patterns, finding:               Logging.             (line   6)
-* USERPROFILE, as ~ expansion:           Tilde expansion.     (line   6)
 * USE_TEXMFVAR:                          mktex configuration. (line 128)
 * USE_VARTEXFONTS:                       mktex configuration. (line 118)
+* USERPROFILE, as ~ expansion:           Tilde expansion.     (line   6)
 * varfonts:                              mktex configuration. (line 112)
 * variable expansion:                    Variable expansion.  (line   6)
 * variable.c:                            Variable expansion.  (line  32)
@@ -3997,63 +4119,70 @@
 
 
 Tag Table:
-Node: Top1480
-Node: Introduction2262
-Node: History4331
-Node: unixtex.ftp8927
-Node: Security10397
-Node: TeX directory structure12901
-Node: Path searching16940
-Node: Searching overview17898
-Node: Path sources21717
-Node: Config files22943
-Node: Path expansion27815
-Node: Default expansion28768
-Node: Variable expansion30838
-Node: Tilde expansion32239
-Node: Brace expansion33219
-Node: KPSE_DOT expansion34158
-Node: Subdirectory expansion34671
-Node: Casefolding search37019
-Node: Casefolding rationale37788
-Node: Casefolding examples39134
-Node: Filename database44180
-Node: ls-R45162
-Node: Filename aliases48838
-Node: Database format50016
-Node: Invoking kpsewhich51029
-Node: Path searching options51984
-Node: Specially-recognized files61654
-Node: Auxiliary tasks63025
-Node: Standard options66750
-Node: TeX support67106
-Node: Supported file formats68460
-Node: File lookup76279
-Node: Glyph lookup78028
-Node: Basic glyph lookup79152
-Node: Fontmap80032
-Node: Fallback font82542
-Node: Suppressing warnings83454
-Node: mktex scripts84581
-Node: mktex configuration85796
-Node: mktex script names91599
-Node: mktex script arguments93170
-Node: Programming94049
-Node: Programming overview94622
-Node: Calling sequence97483
-Ref: openout_any101641
-Node: Program-specific files104692
-Node: Programming with config files105715
-Node: Reporting bugs107302
-Node: Bug checklist107980
-Node: Mailing lists111449
-Node: Debugging112126
-Node: Logging117203
-Node: Common problems119070
-Node: Unable to find files119547
-Node: Slow path searching121957
-Node: Unable to generate fonts123332
-Node: TeX or Metafont failing125804
-Node: Index127006
+Node: Top1479
+Node: Introduction2261
+Node: History4352
+Node: unixtex.ftp8972
+Node: Security10454
+Node: Global font cache and security13167
+Node: TeX directory structure15158
+Node: Path searching19333
+Node: Searching overview20291
+Node: Path sources24198
+Node: Config files25468
+Node: Path expansion30516
+Node: Default expansion31485
+Node: Variable expansion33607
+Node: Tilde expansion35076
+Node: Brace expansion36124
+Node: KPSE_DOT expansion37119
+Node: Subdirectory expansion37644
+Node: Casefolding search40084
+Node: Casefolding rationale40861
+Node: Casefolding examples42219
+Node: Filename database47441
+Node: ls-R48455
+Node: Filename aliases52327
+Node: Database format53569
+Node: Invoking kpsewhich54618
+Node: Path searching options55601
+Node: Specially-recognized files65603
+Node: Auxiliary tasks67078
+Node: Standard options71222
+Node: TeX support71590
+Node: Supported file formats72948
+Node: File lookup81699
+Node: Glyph lookup83504
+Node: Basic glyph lookup84652
+Node: Fontmap85560
+Node: Fallback font88168
+Node: Suppressing warnings89104
+Node: mktex scripts90267
+Node: mktex configuration91510
+Node: mktex script names97603
+Node: mktex script arguments99286
+Node: Programming100201
+Node: Programming overview100844
+Node: Calling sequence103755
+Node: Safe filenames109092
+Ref: openout_any109251
+Node: Program-specific files112839
+Node: Programming with config files113892
+Node: Reporting bugs115539
+Node: Bug checklist116217
+Node: Mailing lists119774
+Node: Debugging120451
+Node: Logging125708
+Node: Common problems127615
+Node: Unable to find files128092
+Node: Slow path searching130548
+Node: Unable to generate fonts131943
+Node: TeX or Metafont failing134479
+Node: Index135681
 
 End Tag Table
+
+
+Local Variables:
+coding: utf-8
+End:

Modified: trunk/Build/source/texk/kpathsea/doc/kpathsea.texi
===================================================================
--- trunk/Build/source/texk/kpathsea/doc/kpathsea.texi	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/doc/kpathsea.texi	2024-01-14 18:27:55 UTC (rev 69416)
@@ -2,13 +2,13 @@
 @setfilename kpathsea.info
 @settitle Kpathsea: A library for path searching
 
- at set version 6.3.5
- at set month-year October 2023
+ at set version 6.4.0
+ at set month-year January 2024
 
 @copying
 This file documents the Kpathsea library for path searching.
 
-Copyright @copyright{} 1996--2023 Karl Berry & Olaf Weber.
+Copyright @copyright{} 1996--2024 Karl Berry & Olaf Weber.
 
 Permission is granted to make and distribute verbatim copies of this
 manual provided the copyright notice and this permission notice are
@@ -285,29 +285,78 @@
 privileges, so there's no first-level security concern of people gaining
 illegitimate root access.
 
+Thus, the general goal of our security measures is to make an
+untrusted @TeX{} document safe to execute, in the sense of no document
+being able to change the system or user configuration, or somehow
+transmit information to an attacker.  Here are some of the steps that
+have been taken to make the @TeX{} system safe in this regard:
+
+ at itemize
+ at item
 @cindex trojan horse attack
- at flindex .rhosts at r{, writable by @TeX{}}
-A @TeX{} document, however, can write to arbitrary files, e.g.,
- at file{~/.rhosts}, and thus an unwitting user who runs @TeX{} on a random
-document is vulnerable to a trojan horse attack.  This loophole is
-closed by default, but you can be permissive if you so desire in
- at file{texmf.cnf}.  @xref{tex invocation,,, web2c, Web2c}.  MetaPost has
-the same issue.
+ at flindex .profile at r{, (un)writable by @TeX{}}
+ at findex \openout
+A @TeX{} document can write to arbitrary files via @code{\openout},
+e.g., @file{~/.profile}, and thus an unwitting user who runs @TeX{} on
+an untrusted document is vulnerable to a trojan horse attack.  This
+loophole is closed by default, but you can be permissive if you so
+desire in @file{texmf.cnf}.  @xref{tex invocation,,, web2c, Web2c}.
+MetaPost has the same issue.
 
-Dvips, Xdvi, and @TeX{} can also execute shell commands under some
-circumstances.  To disable this, see the @samp{-R} option in @ref{Option
+ at item
+ at cindex shell commands, security
+Dvips, Xdvi, @TeX{}, and others can execute shell commands.  By
+default, only a handful of commands that are believed to be safe (to
+the best of our ability to check) are allowed.  For the list, see the
+ at code{shell_escape_commands} variable in @file{texmf.cnf}
+(@pxref{Shell escapes,,, web2c, Web2c}).  For more information, e.g.,
+to disable this completely, see the @samp{-R} option in @ref{Option
 details,,, dvips, Dvips}, the xdvi man page, and @ref{tex
 invocation,,, web2c, Web2c}, respectively.
 
+ at item
+ at cindex Lua at TeX{} and security
+ at cindex kpse mode of Lua at TeX{}
+Lua at TeX{} is a special case.  Since Lua is a general-purpose
+programming language, it has all the usual functionality for writing
+files, executing shell commands, and plenty more.  When Lua at TeX{} is
+used in its so-called ``kpse'' mode, as with Lua at LaTeX{}, we have
+nevertheless done our best to also make it safe to execute by default,
+by disabling or restricting the various problematic Lua features.
+ at xref{Safe filenames}, for a bit more about this.  (By the way, when
+Lua at TeX{} is run in non-kpse mode, as with Con at TeX{}t MkIV, everything
+is allowed; thus, untrusted documents should not be processed without
+checking.)
+
+ at item
+ at cindex crashes of @TeX{} and security
+There are some well-known ways to crash @TeX{}, using (deliberately
+unchecked) arithmetic overflow and other nefarious constructs (some
+are listed at @url{https://tug.org/texmfbug/nobug.html}.  While
+disturbing, @TeX{} has no special system access and so these crashes
+don't present a security risk.
+
+ at item
+One more issue is the desire for a globally writable font cache
+directory; see the section below for this (@ref{Global font cache and
+security}).
+ at end itemize
+
+ at menu
+* Global font cache and security::
+ at end menu
+
+ at node Global font cache and security
+ at section Global font cache and security
+
 @cindex local cache of fonts
 @cindex cache of fonts, local
-Another security issue arises because it's very useful---almost
-necessary---to make arbitrary fonts on user demand with @code{mktexpk}
+It's useful to make arbitrary fonts on user demand with @code{mktexpk}
 and friends.  Where do these files get installed?  By default, the
 @code{mktexpk} distributed with Kpathsea assumes a world-writable
- at file{/var/tmp} directory; this is a simple and convenient approach, but
-it may not suit your situation because it means that a local cache of
-fonts is created on every machine.
+ at file{/var/tmp} directory; this is a simple and convenient approach,
+but it does not suit all situations, because it means that a local
+cache of fonts is created on every user's system.
 
 @cindex globally writable directories
 To avoid this duplication, many people consider a shared, globally
@@ -343,7 +392,11 @@
 @code{appendonlydir} feature is used, in which case the sticky bit is
 always set.
 
+Nowadays, with bitmap files rarely used, and with individual systems
+being so much more powerful, this is less of an issue than it was in
+the past. But the question still comes up occasionally.
 
+
 @node TeX directory structure
 @chapter @TeX{} directory structure
 
@@ -1882,12 +1935,20 @@
 formats}), including the names and abbreviations, variables
 looked for, and the original path.
 
+ at item --safe-extended-in-name=@var{name}
+ at itemx --safe-extended-out-name=@var{name}
+ at opindex --safe-extended-in-name=@var{name}
+ at opindex --safe-extended-out-name=@var{name}
+As with @samp{--safe-in-name} and @samp{--safe-out-name} (next item),
+but also allow files under the variables @code{TEXMFVAR} and
+ at code{TEXMFSYSVAR} (@pxref{Calling sequence}).
+
 @item --safe-in-name=@var{name}
 @itemx --safe-out-name=@var{name}
 @opindex --safe-in-name=@var{name}
 @opindex --safe-out-name=@var{name}
 Exit successfully if @var{name} is safe to open for reading or
-writing, respectively, else unsuccessfully.  No output is written.
+writing, respectively, else unsuccessfully.  No errors are output.
 These tests take account of the related Kpathsea configuration
 settings (@pxref{Calling sequence}).
 
@@ -3083,6 +3144,7 @@
 @menu
 * Overview: Programming overview.         Introduction.
 * Calling sequence::                      Specifics of what to call.
+* Safe filenames::                        Only opening allowed files.
 * Program-specific files::                How to handle these.
 * Config: Programming with config files.  Getting info from texmf.cnf.
 @end menu
@@ -3131,9 +3193,9 @@
 
 @flindex config.h
 @flindex c-auto.h
-If you want to include only specific headers, you should still consider
-including @file{kpathsea/config.h} before including any other Kpathsea
-header, as it provides symbols used in the other headers.  Note that
+If you want to include only specific headers, you should still
+consider including @file{kpathsea/config.h} before including any other
+Kpathsea header, as it provides symbols used in the other headers;
 @file{kpathsea/config.h} includes @file{kpathsea/c-auto.h}, which is
 generated by Autoconf.
 
@@ -3141,7 +3203,7 @@
 The library provides no way for an external program to register new file
 types: @file{tex-file.[ch]} must be modified to do this. For example,
 Kpathsea has support for looking up Dvips config files, even though no
-program other than Dvips will likely ever want to do so.  I felt this
+program other than Dvips is likely to ever want to do so.  I felt this
 was acceptable, since along with new file types should also come new
 defaults in @file{texmf.cnf} (and its descendant @file{paths.h}), since
 it's simplest for users if they can modify one configuration file for
@@ -3148,9 +3210,9 @@
 all kinds of paths.
 
 Kpathsea does not parse any formats itself; it barely opens any files.
-Its primary purpose is to return filenames.  The GNU font utilities does
-contain libraries to read TFM, GF, and PK files, as do the programs
-above, of course.
+Its primary purpose is to return filenames.  The GNU font utilities
+package contains libraries to read TFM, GF, and PK files, as do the
+programs above, of course.
 
 
 @node Calling sequence
@@ -3211,12 +3273,13 @@
 @item
 @vindex kpse->debug @r{variable}
 @cindex debugging options, in Kpathsea-using program
-Set debugging options. @xref{Debugging}.  If your program doesn't have a
-debugging option already, you can define one and set
+Set debugging options. @xref{Debugging}.  If your program doesn't have
+a debugging option already, you can define one and set
 @code{kpse->debug} to the number that the user supplies (as in Dviljk
-and Web2c), or you can just omit this altogether (people can always set
- at code{KPATHSEA_DEBUG}).  If you do have runtime debugging already, you
-need to merge Kpathsea's options with yours (as in Dvipsk and Xdvik).
+and Web2c), or you can just omit this altogether (users can always set
+the @code{KPATHSEA_DEBUG} environment variable).  If you do have
+runtime debugging already, you need to merge Kpathsea's options with
+yours (as in Dvipsk and Xdvik).
 
 @item
 @vindex client_path @r{in @code{kpse->format_info}}
@@ -3232,13 +3295,15 @@
 @item
 @findex kpathsea_init_prog
 @flindex proginit.h
-Call @code{kpathsea_init_prog} (see @file{proginit.c}). It's useful for the
-DVI drivers, at least, but for other programs it may be simpler to
-extract the parts of it that actually apply.  This does not initialize
-any paths, it just looks for (and sets) certain environment variables
-and other random information.  (A search path is always initialized at
-the first call to find a file of that type; this eliminates much useless
-work, e.g., initializing the Bib at TeX{} search paths in a DVI driver.)
+Call @code{kpathsea_init_prog} (see @file{proginit.c}). It's useful
+for the DVI drivers, at least, but for other programs it may be
+simpler to extract the parts of it that actually apply.  This does not
+initialize any paths, it just looks for (and sets) certain environment
+variables and other random information.  Search paths are always
+initialized at the first call to find a file of a given type, not
+requiring an explicit initialization call; this eliminates much
+useless work, e.g., initializing the Bib at TeX{} search paths in a DVI
+driver.
 
 @item
 @findex kpathsea_find_file
@@ -3250,6 +3315,7 @@
 and does expansions at the first lookup.
 
 @item
+ at findex kpathsea_find_glyph
 To find PK and/or GF bitmap fonts, the routine
 is @code{kpathsea_find_glyph}, defined in
 @file{tex-glyph.h}. This returns a structure in addition to the
@@ -3257,6 +3323,10 @@
 documentation in the source.
 
 @item
+Before opening a file, especially for writing, you should check if the
+filename is acceptable.  See the next section (@pxref{Safe filenames}).
+
+ at item
 @findex kpathsea_open_file
 To actually open a file, not just return a filename, call
 @code{kpathsea_open_file}.  This function takes the name to look up and a
@@ -3267,18 +3337,47 @@
 exist, don't use this.
 
 @item
- at findex kpathsea_out_name_ok
+ at findex kpathsea_finish
+To close the Kpathsea library instance you are using, call
+ at code{kpathsea_finish}.  This function closes any open log files and
+frees the memory used by the instance.
+
+ at end enumerate
+
+ at cindex hash table routines
+ at cindex memory allocation routines
+ at cindex string routines
+ at cindex reading arbitrary-length lines
+ at cindex input lines, reading
+ at cindex lines, reading arbitrary-length
+Kpathsea also provides many utility routines. Some are generic: hash
+tables, memory allocation, string concatenation and copying, string
+lists, reading input lines of arbitrary length, etc. Others are
+filename-related: default path, tilde, and variable expansion,
+ at code{stat} calls, etc.
+
+ at flindex c-*.h
+ at pindex autoconf at r{, recommended}
+The @file{c-*.h} header files can also help your program adapt to many
+different systems.  You will almost certainly want to use Autoconf and
+probably Automake for configuring and building your software if you use
+Kpathsea; I strongly recommend using Autoconf and Automake regardless.
+They are available from @url{https://gnu.org/software}.
+
+
+ at node Safe filenames
+ at section Safe filenames
+
 @vindex openout_any
 @anchor{openout_any}
- at TeX{} can write output files, via the @code{\openout} primitive. This
-opens a security vulnerability: an unwitting user could run a @TeX{}
-document that overwrites, say, @file{~/.profile}.  Analogous
-vulnerabilities exist for almost any program that can write files, but
-since users expect @TeX{} to typeset documents, not overwrite personal
-files, it's desirable to handle this. To alleviate it, there is a
-configuration variable @code{openout_any}, which selects one of three
-levels of security:
+ at cindex trojan horse
+ at xref{Security}, for some general security considerations with the
+ at TeX{} system.
 
+In the implementation, the main security feature to disallow writing
+to potentially dangerous files is a configuration variable
+ at code{openout_any}. It specifies one of three levels:
+
 @itemize
 @item
 @cindex unrestricted mode, for output files
@@ -3287,25 +3386,40 @@
 @item
 @cindex restricted mode, for output files
 When is set to @samp{r} (for ``restricted''), filenames beginning
-with @samp{.}  are disallowed (except @file{.tex}, because @LaTeX{}
+with @samp{.} are disallowed (except @file{.tex}, because @LaTeX{}
 needs it).
 
 @item
 @cindex paranoid mode, for output files
+When set to @samp{p} (for ``paranoid''), additional restrictions are
+imposed.
+
+ at enumerate
+ at item
 @vindex TEXMF_OUTPUT_DIRECTORY at r{, and paranoid output files}
 @vindex TEXMFOUTPUT at r{, and paranoid output files}
-When set to @samp{p} (for ``paranoid''), additional restrictions are
-imposed. First, an absolute filename must refer to a file in (or in a
+First, an absolute filename must refer to a file in (or in a
 subdirectory of) either the @code{TEXMF_OUTPUT_DIRECTORY} environment
 variable or the @code{TEXMFOUTPUT} environment variable or
-configuration file setting. Second, any attempt to go up a directory
-level is forbidden; that is, paths may not contain a @samp{..}
-component.
+configuration file setting.
 
 @item
-For backwards compatibility, @samp{y} and @samp{1} are synonyms of
- at samp{a}, while @samp{n} and @samp{0} are synonyms for @samp{r}.
+ at vindex TEXMFSYSVAR
+ at vindex TEXMFVAR
+ at findex luaotfload
+Lua at TeX{} uses a so-called ``extended'' mode, in which the values of
+ at code{TEXMFVAR} and @code{TEXMFSYSVAR} are also checked for absolute
+filenames.  This is done because, in practice, fundamental parts of
+the Lua at LaTeX{} system (notably @code{luaotfload}) need a cache
+directory, and historically the @code{TEXMF[SYS]VAR} variables are
+what has been used. We neither recommend nor expect any other programs
+to need this.
 
+ at item 
+Finally, any attempt to go up a directory level is forbidden; that is,
+paths may not contain a @samp{..} component.
+
+ at end enumerate
 @end itemize
 
 The paranoid setting is the default. Any program intended to be safely
@@ -3312,48 +3426,58 @@
 called from @TeX{} should implement the same measures, one way or
 another.  @xref{Shell escapes,,, web2c, Web2c}.
 
+Kpathsea does not resolve @samp{..} components, or symbolic links, to
+see if the final result is an acceptable directory; they are simply
+forbidden.  That is, Kpathsea merely considers the value as a string,
+not looking on the filesystem at all.  (However, if another program
+wants to do such resolutions and check the result, that's ok.)
+
+For backwards compatibility, @samp{y} and @samp{1} are synonyms of
+ at samp{a}, while @samp{n} and @samp{0} are synonyms for @samp{r}.
+
+ at findex kpathsea_out_name_ok
 The function @code{kpathsea_out_name_ok}, with a filename as second
 argument, returns @code{true} if that filename is acceptable to be
 opened for output or @code{false} otherwise.  The Kpsewhich program
-has options @samp{--safe-in-name} and @samp{--safe-out-name} to
-provide a command line interface for the checking.
+has an option (@samp{--safe-out-name}) providing a command line
+interface for the check.
 
- at item
+ at findex kpathsea_out_name_ok_extended
+For Lua at TeX{}'s extended mode, the function is
+ at code{kpathsea_out_name_ok_extended}, and the Kpsewhich option is
+ at samp{--safe-extended-out-name}.
+
 @findex kpathsea_in_name_ok
-Similarly, the function @code{kpathsea_in_name_ok}, with a filename as
-second argument, returns @code{true} if that filename is acceptable to be
-opend for input or @code{false} otherwise, depending on the value of the
-configuration variable @code{openin_any} (with @samp{a} as default;
-too many system directories are involved to make @samp{p} feasible).
+ at findex kpathsea_in_name_ok_extended
+Similarly, the function @code{kpathsea_in_name_ok} (resp.@:
+ at code{_extended}, with a filename as second argument, returns
+ at code{true} if that filename is acceptable to be opend for input or
+ at code{false} otherwise, depending on the value of the configuration
+variable @code{openin_any}.  Unfortunately, for reading, @samp{a} is
+the default default; too many system directories and files get
+involved to make @samp{r} or @samp{p} feasible.
 
- at item
- at findex kpathsea_finish
-To close the Kpathsea library instance you are using, call
- at code{kpathsea_finish}.  This function closes any open log files and
-frees the memory used by the instance.
+The functions above write a message to standard error if the usage is
+forbidden (so every caller does not have to do so).  Each function has
+a @code{_silent} counterpart which does not write the message; this is
+what Kpsewhich calls, since messages would be counterproductive in
+that case. Thus:
 
- at end enumerate
+ at findex kpathsea_out_name_ok_silent
+ at findex kpathsea_out_name_ok_silent_extended
+ at findex kpathsea_in_name_ok_silent
+ at findex kpathsea_in_name_ok_silent_extended
 
- at cindex hash table routines
- at cindex memory allocation routines
- at cindex string routines
- at cindex reading arbitrary-length lines
- at cindex input lines, reading
- at cindex lines, reading arbitrary-length
-Kpathsea also provides many utility routines. Some are generic: hash
-tables, memory allocation, string concatenation and copying, string
-lists, reading input lines of arbitrary length, etc. Others are
-filename-related: default path, tilde, and variable expansion,
- at code{stat} calls, etc. (Perhaps someday I'll move the former to a
-separate library.)
+ at example
+kpathsea_out_name_ok_silent
+kpathsea_out_name_ok_silent_extended
+kpathsea_in_name_ok_silent
+kpathsea_in_name_ok_silent_extended
+ at end example
 
- at flindex c-*.h
- at pindex autoconf at r{, recommended}
-The @file{c-*.h} header files can also help your program adapt to many
-different systems.  You will almost certainly want to use Autoconf and
-probably Automake for configuring and building your software if you use
-Kpathsea; I strongly recommend using Autoconf and Automake regardless.
-They are available from @url{https://gnu.org/software}.
+Sorry for the combinatorial explosion, but we hope no further options
+will ever be needed.  If so, we'll likely provide a more generic
+interface as well as the above.
 
 
 @node Program-specific files

Modified: trunk/Build/source/texk/kpathsea/kpsewhich.c
===================================================================
--- trunk/Build/source/texk/kpathsea/kpsewhich.c	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/kpsewhich.c	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,7 +1,7 @@
 /* kpsewhich -- standalone path lookup and variable expansion for Kpathsea.
    Ideas from Thomas Esser, Pierre MacKay, and many others.
 
-   Copyright 1995-2023 Karl Berry & Olaf Weber.
+   Copyright 1995-2024 Karl Berry & Olaf Weber.
 
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
@@ -62,10 +62,14 @@
 /* The program name, for `.PROG' construct in texmf.cnf.  (-program) */
 string progname = NULL;
 
-/* Safe input and output names to check.  (-safe-in-name and -safe-out-name) */
+/* Safe input and output names to check. (-safe-in-name, -safe-out-name) */
 string safe_in_name = NULL;
 string safe_out_name = NULL;
 
+/* Check TEXMF[SYS]VAR too. (-safe-extended-in-name,-safe-extended-out-name) */
+string safe_extended_in_name = NULL;
+string safe_extended_out_name = NULL;
+
 /* Return all matches, not just the first one?  (-all) */
 boolean show_all = false;
 
@@ -497,6 +501,8 @@
 -progname=STRING       set program name to STRING.\n\
 -safe-in-name=STRING   check if STRING is ok to open for input.\n\
 -safe-out-name=STRING  check if STRING is ok to open for output.\n\
+-safe-extended-in-name=STRING   also check TEXMF[SYS]VAR].\n\
+-safe-extended-out-name=STRING  also check TEXMF[SYS]VAR].\n\
 -show-path=TYPE        output search path for file type TYPE\n\
                          (list shown by -help-formats).\n\
 -subdir=STRING         only output matches whose directory ends with STRING.\n\
@@ -620,6 +626,8 @@
       { "no-casefold-search",   0, 0, 0 },
       { "no-mktex",             1, 0, 0 },
       { "progname",             1, 0, 0 },
+      { "safe-extended-in-name",1, 0, 0 },
+      { "safe-extended-out-name",1,0, 0 },
       { "safe-in-name",         1, 0, 0 },
       { "safe-out-name",        1, 0, 0 },
       { "subdir",               1, 0, 0 },
@@ -711,6 +719,14 @@
     } else if (ARGUMENT_IS ("progname")) {
       progname = optarg;
 
+    } else if (ARGUMENT_IS ("safe-extended-in-name")) {
+      ENSURE_NONEMPTY_STRING (optarg);
+      safe_extended_in_name = optarg;
+
+    } else if (ARGUMENT_IS ("safe-extended-out-name")) {
+      ENSURE_NONEMPTY_STRING (optarg);
+      safe_extended_out_name = optarg;
+
     } else if (ARGUMENT_IS ("safe-in-name")) {
       ENSURE_NONEMPTY_STRING (optarg);
       safe_in_name = optarg;
@@ -757,6 +773,7 @@
   if (optind == argc
       && !var_to_expand && !braces_to_expand && !path_to_expand
       && !path_to_show && !var_to_value && !var_to_brace_value
+      && !safe_extended_in_name && !safe_extended_out_name
       && !safe_in_name && !safe_out_name) {
     fputs ("Missing argument. Try `kpsewhich --help' for more information.\n",
            stderr);
@@ -916,6 +933,16 @@
       unfound++;
   }
 
+  if (safe_extended_in_name) {
+    if (!kpathsea_in_name_ok_silent_extended (kpse, safe_extended_in_name))
+      unfound++;
+  }
+
+  if (safe_extended_out_name) {
+    if (!kpathsea_out_name_ok_silent_extended (kpse, safe_extended_out_name))
+      unfound++;
+  }
+
   /* --subdir must imply --all, since we filter here after doing the
      search, rather than inside the search itself.  */
   if (!STR_LIST_EMPTY (subdir_paths)) {

Added: trunk/Build/source/texk/kpathsea/tests/kpsesafe.test
===================================================================
--- trunk/Build/source/texk/kpathsea/tests/kpsesafe.test	                        (rev 0)
+++ trunk/Build/source/texk/kpathsea/tests/kpsesafe.test	2024-01-14 18:27:55 UTC (rev 69416)
@@ -0,0 +1,41 @@
+#! /bin/sh -vx
+# $Id$
+# Copyright 2024 Karl Berry <tex-live at tug.org>
+# You may freely use, modify and/or distribute this file.
+
+BinDir=${BinDir:-.}
+ExeExt=${ExeExt:-}
+_kpsewhich=$BinDir/kpsewhich$ExeExt
+
+TEXMFCNF=$srcdir; export TEXMFCNF
+
+echo "cwd ok."
+$_kpsewhich --safe-in-name=ifoo.tex || exit 1
+$_kpsewhich --safe-out-name=ofoo.tex || exit 2
+
+echo "./cwd ok."
+$_kpsewhich --safe-in-name=./ifoo.tex || exit 3
+$_kpsewhich --safe-out-name=./ofoo.tex || exit 4
+
+echo "/rootdir ok for reading, not writing."
+$_kpsewhich --safe-in-name=/ifoo.tex || exit 5
+$_kpsewhich --safe-out-name=/ofoo.tex && exit 6
+
+echo "TEXMF_OUTPUT_DIRECTORY and TEXMFOUTPUT ok for writing."
+TEXMF_OUTPUT_DIRECTORY=/xdir \
+  $_kpsewhich --safe-out-name=/xdir/ofoo.tex || exit 7
+TEXMFOUTPUT=/ydir \
+  $_kpsewhich --safe-out-name=/ydir/ofoo.tex || exit 8
+
+echo "TEXMFVAR and TEXMFSYSVAROUTPUT ok for writing only if extended."
+TEXMFVAR=/xvar \
+  $_kpsewhich --safe-out-name=/xvar/ofoo.tex && exit 9
+TEXMFSYSVAR=/yvar \
+  $_kpsewhich --safe-out-name=/yvar/ofoo.tex && exit 10
+#
+TEXMFVAR=/avar \
+  $_kpsewhich --safe-extended-out-name=/avar/ofoo.tex || exit 11
+TEXMFSYSVAR=/bvar \
+  $_kpsewhich --safe-extended-out-name=/bvar/ofoo.tex || exit 12
+
+: # exit successfully if get to the end.


Property changes on: trunk/Build/source/texk/kpathsea/tests/kpsesafe.test
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision
\ No newline at end of property
Modified: trunk/Build/source/texk/kpathsea/tex-file.c
===================================================================
--- trunk/Build/source/texk/kpathsea/tex-file.c	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/tex-file.c	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,7 +1,7 @@
 /* tex-file.c: high-level file searching by format.
 
    Copyright 1993, 1994, 1995, 1996, 1997, 2007, 2008, 2009, 2010, 2011
-             2012, 2014, 2016, 2017, 2019, 2023 Karl Berry.
+             2012, 2014, 2016, 2017, 2019, 2024 Karl Berry.
    Copyright 1998-2005 Olaf Weber.
 
    This library is free software; you can redistribute it and/or
@@ -1172,9 +1172,7 @@
 #endif
 
 
-

-/* Return true if FNAME is acceptable to open for reading or writing.  */
-
+/* Helper types for kpathsea_name_ok, just below.  */
 typedef enum ok_type {
     ok_reading,
     ok_writing
@@ -1185,29 +1183,71 @@
     "writing to"
 };
 
+
+/* Helper subroutine to check if absolute pathname FNAME is acceptable
+   in CHECKDIR. An absolute pathname is ok only if
+   CHECKDIR is set,
+   CHECKDIR is non-empty,
+   CHECKDIR is the beginning of FNAME
+     (e.g., disallow /somedir/file.tex against /anotherdir), and
+   the next character in FNAME is a directory separator
+     (e.g., disallow /somedirx/file.tex against /somedir).  */
+
 static boolean
+abs_fname_ok (const_string fname, const_string checkdir)
+{
+  return
+    checkdir             /* checkdir must be non-null */
+    && *checkdir != '\0' /* checkdir must be non-empty */
+    && fname == strstr (fname, checkdir)      /* fname must begin checkdir */
+    && IS_DIR_SEP (fname[strlen (checkdir)]); /* and be followed by /. */
+}
+
+/* Here is the general internal subroutine, kpathsea_name_ok, for
+   checking if a filename is acceptable to open for reading or writing.
+   Parameters:
+  kpse - the usual structure.
+  fname - the filename to check.
+  check_var - the config variable to check, openin_any or openout_any.
+  default_choice - if the variable is not set, one of the settings below.
+  action - what to check for: either ok_reading or ok_writing.
+  silent - whether to write a message to stderr if not ok.
+  extended - whether to also allow TEXMF[SYS]VAR; see comments below for more.
+  
+   The public functions below (and declared in tex-file.h), provide
+   convenience calls with defaults for the various combinations.
+   
+   The general idea is described in the Kpathsea manual, node Calling sequence.
+*/
+
+

+static boolean
 kpathsea_name_ok (kpathsea kpse, const_string fname, const_string check_var,
-                  const_string default_choice, ok_type action, boolean silent)
+                  const_string default_choice, ok_type action,
+                  boolean silent, boolean extended)
 {
   /* We distinguish three cases:
      'a' (any)        allows any file to be opened.
-     'r' (restricted) means disallowing special file names.
-     'p' (paranoid)   means being really paranoid: disallowing special file
-                      names and restricting output files to be in or below
-                      the working directory or $TEXMFOUTPUT or
-                      $TEXMF_OUTPUT_DIRECTORY, while input files
-                      must be below the current directory, the envvars, or
-                      (only implicitly) in the system areas.
-     We default to "paranoid".  The error messages from TeX may be puzzling.
+     'r' (restricted) means disallowing special filenames.
+     'p' (paranoid)   means being really paranoid: disallowing special
+                      filenames and restricting output files to be in or
+                      below the working directory or $TEXMFOUTPUT or
+                      $TEXMF_OUTPUT_DIRECTORY; and, if EXTENDED is true,
+                      $TEXMFVAR and $TEXMFSYSVAR.
+                        Input files must be below the current directory,
+                      the envvars, or (only implicitly) in the system
+                      areas. Unfortunately, in practice this does not
+                      suffice to make TeX usable, so we allow anything.
+     We default to "paranoid" for writing and "any" for reading. 
+
      This function contains several return and goto statements, be careful.
-     
      Paranoia originally supplied by Charles Karney.  */
 
   const_string open_choice = kpathsea_var_value (kpse, check_var);
-
   if (!open_choice)
     open_choice = default_choice;
 
+  /* If setting is a(nything), we're done.  This is the case for reading. */
   if (*open_choice == 'a' || *open_choice == 'y' || *open_choice == '1')
     return true;
 
@@ -1231,36 +1271,45 @@
   /* Other OSs don't have special names? */
 #endif
 
+  /* If setting is only r(estricted), we're done.  (Not a useful setting
+     in practice, but no reason to take it out now.)  */
   if (*open_choice == 'r' || *open_choice == 'n' || *open_choice == '0')
     return true;
 
   if (kpathsea_absolute_p (kpse, fname, false)) {
-
-    /* fname can be an absolute pathname only if one of the TEXMF*
-       variables is set, is non-empty, the value is the beginning of
-       fname, and the next character in fname is a directory separator.  */
-
     /* We'll check TEXMF_OUTPUT_DIRECTORY first.  This must be an
        environment variable, not a configuration file setting.  */
     const_string texmfoutdir = getenv ("TEXMF_OUTPUT_DIRECTORY");
-    if (!texmfoutdir || *texmfoutdir == '\0'
-        || fname != strstr (fname, texmfoutdir)
-        || !IS_DIR_SEP (fname[strlen (texmfoutdir)])) {
-       
-      /* Ok, that didn't work. Check TEXMFOUTPUT in exactly the same
-         way, except it can be in the configuration file.  */
-      const_string texmfoutput
-        = kpathsea_var_value (kpse, "TEXMFOUTPUT");
-      if (!texmfoutput || *texmfoutput == '\0'
-          || fname != strstr (fname, texmfoutput)
-          || !IS_DIR_SEP (fname[strlen (texmfoutput)])) {
-          goto not_ok;
+    if (!abs_fname_ok (fname, texmfoutdir)) {
+      /* That failed. Next, check TEXMFOUTPUT, but this can be in the
+         configuration file (i.e., call kpse_var_value instead of getenv).  */
+      const_string texmfoutput = kpathsea_var_value (kpse, "TEXMFOUTPUT");
+      if (!abs_fname_ok (fname, texmfoutput)) {
+        /* That failed too.  If `extended' is set, try TEXMFVAR and
+           TEXMFSYSVAR.  */
+        if (extended) {
+          const_string texmfvar = kpathsea_var_value (kpse, "TEXMFVAR");
+          if (!abs_fname_ok (fname, texmfvar)) {
+            const_string texmfsysvar
+              = kpathsea_var_value (kpse, "TEXMFSYSVAR");
+            if (!abs_fname_ok (fname, texmfsysvar)) {
+              goto not_ok; /* nothing left to check.  */
+            }
+          }
+        } else {
+          goto not_ok; /* not extended */
+        }
       }
     }
   }
 
   /* For all pathnames, we disallow "../" at the beginning or "/../"
-     anywhere.  */
+     anywhere. We need to check this for absolute paths, so fall through
+     from above if the absolute check succeeded.
+     
+     We don't try to resolve relative path elements and see if we end up
+     in an acceptable directory, but rather simply consider the value as
+     a string. (It's ok if other programs do such resolution, though.)  */
   if (fname[0] == '.' && fname[1] == '.' && IS_DIR_SEP(fname[2]))
     goto not_ok;
   else {
@@ -1282,27 +1331,44 @@
 
  not_ok: /* Some test failed.  */
   if (!silent)
-    fprintf (stderr, "\n%s: Not %s %s (%s = %s).\n",
+    fprintf (stderr, "\n%s: Not %s %s (%s = %s; %s extended check).\n",
              kpse->invocation_name, ok_type_name[action], fname,
-             check_var, open_choice);
+             check_var, open_choice, extended ? "" : "no ");
   return false;
 }
 
-/* For input default to all. */
+/* For input, default to anything being ok. */
 
 boolean
 kpathsea_in_name_ok_silent (kpathsea kpse, const_string fname)
 {
-  return kpathsea_name_ok (kpse, fname, "openin_any", "a", ok_reading, true);
+  return
+   kpathsea_name_ok (kpse, fname, "openin_any", "a", ok_reading, true, false);
 }
 
 boolean
 kpathsea_in_name_ok (kpathsea kpse, const_string fname)
 {
-  return kpathsea_name_ok (kpse, fname, "openin_any", "a", ok_reading, false);
+  return
+   kpathsea_name_ok (kpse, fname, "openin_any", "a", ok_reading, false, false);
 }
 
+boolean
+kpathsea_in_name_ok_silent_extended (kpathsea kpse, const_string fname)
+{
+  return
+   kpathsea_name_ok (kpse, fname, "openin_any", "a", ok_reading, true, true);
+}
 
+boolean
+kpathsea_in_name_ok_extended (kpathsea kpse, const_string fname)
+{
+  return
+   kpathsea_name_ok (kpse, fname, "openin_any", "a", ok_reading, false, true);
+}
+
+

+/* Output name checks. */
 #if defined(WIN32) || defined(__CYGWIN__)
 static int
 Isspace (char c)
@@ -1366,7 +1432,8 @@
 #endif /* WIN32 || __CYGWIN__ */
 
 static boolean
-kpathsea_out_name_ok_1 (kpathsea kpse, const_string fname, boolean silent)
+kpathsea_out_name_ok_1 (kpathsea kpse, const_string fname,
+                        boolean silent, boolean extended)
 {
 #if defined(WIN32) || defined(__CYGWIN__)
   /* Output of an executable file is restricted on Windows */
@@ -1374,21 +1441,34 @@
     return false;
 #endif /* WIN32 || __CYGWIN__ */
   /* For output, default to paranoid. */
-  return kpathsea_name_ok (kpse, fname, "openout_any", "p", ok_writing,silent);
+  return kpathsea_name_ok (kpse, fname, "openout_any", "p", ok_writing,
+                           silent, extended);
 }
 
 boolean
 kpathsea_out_name_ok_silent (kpathsea kpse, const_string fname)
 {
-  return kpathsea_out_name_ok_1 (kpse, fname, true);
+  return kpathsea_out_name_ok_1 (kpse, fname, true, false);
 }
 
 boolean
 kpathsea_out_name_ok (kpathsea kpse, const_string fname)
 {
-  return kpathsea_out_name_ok_1 (kpse, fname, false);
+  return kpathsea_out_name_ok_1 (kpse, fname, false, false);
 }
 
+boolean
+kpathsea_out_name_ok_silent_extended (kpathsea kpse, const_string fname)
+{
+  return kpathsea_out_name_ok_1 (kpse, fname, true, true);
+}
+
+boolean
+kpathsea_out_name_ok_extended (kpathsea kpse, const_string fname)
+{
+  return kpathsea_out_name_ok_1 (kpse, fname, false, true);
+}
+
 #if defined (KPSE_COMPAT_API)
 boolean
 kpse_in_name_ok (const_string fname)

Modified: trunk/Build/source/texk/kpathsea/tex-file.h
===================================================================
--- trunk/Build/source/texk/kpathsea/tex-file.h	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/tex-file.h	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,7 +1,7 @@
 /* tex-file.h: find files in a particular format.
 
    Copyright 1993, 1994, 1995, 1996, 2007, 2008, 2009, 2010, 2013,
-   2014 Karl Berry.
+             2014-2024 Karl Berry.
    Copyright 1998-2005 Olaf Weber.
 
    This library is free software; you can redistribute it and/or
@@ -80,7 +80,7 @@
 /* Return true if FNAME is acceptable to open for reading or writing.
    If not acceptable, write a message to stderr.  */
 extern KPSEDLL boolean kpathsea_in_name_ok (kpathsea kpse, const_string fname);
-extern KPSEDLL boolean kpathsea_out_name_ok (kpathsea kpse, const_string fname);
+extern KPSEDLL boolean kpathsea_out_name_ok(kpathsea kpse, const_string fname);
 
 /* As above, but no error message.  */
 extern KPSEDLL boolean kpathsea_in_name_ok_silent
@@ -88,7 +88,18 @@
 extern KPSEDLL boolean kpathsea_out_name_ok_silent
    (kpathsea kpse, const_string fname);
 
-/* Don't just look up the name, actually open the file.  */
+/* Four more name-checking routines, this time with the "extended" 
+   parameter set, which also checks TEXMF[SYS]VAR (see the Kpathsea manual).
+   Hopefully we won't need to add yet more options .  */
+extern KPSEDLL boolean kpathsea_in_name_ok_extended (kpathsea, const_string);
+extern KPSEDLL boolean kpathsea_out_name_ok_extended (kpathsea, const_string);
+extern KPSEDLL boolean kpathsea_in_name_ok_silent_extended
+   (kpathsea kpse, const_string fname);
+extern KPSEDLL boolean kpathsea_out_name_ok_silent_extended
+   (kpathsea kpse, const_string fname);
+
+/* Don't just look up a name, actually open a file.  The name_ok
+   functions are not called, this just does the file opening.  */
 extern KPSEDLL FILE *kpathsea_open_file (kpathsea kpse, const_string name,
                                          kpse_file_format_type format);
 

Modified: trunk/Build/source/texk/kpathsea/version.ac
===================================================================
--- trunk/Build/source/texk/kpathsea/version.ac	2024-01-14 00:45:55 UTC (rev 69415)
+++ trunk/Build/source/texk/kpathsea/version.ac	2024-01-14 18:27:55 UTC (rev 69416)
@@ -1,5 +1,5 @@
 dnl $Id$
-dnl   Copyright 2016-2023 Karl Berry <tex-live at tug.org>
+dnl   Copyright 2016-2024 Karl Berry <tex-live at tug.org>
 dnl   Copyright 2011-2015 Peter Breitenlohner <tex-live at tug.org>
 dnl
 dnl   This file is free software; the copyright holder
@@ -11,8 +11,10 @@
 dnl   Only bug fixes:
 dnl     a.b.c => a.b.c+1
 dnl   Adding new interfaces (backwards compatible)
+dnl   (maybe not necessary to be absolutely strict about this)
 dnl     a.b.c => a.b+1.0
 dnl   Modifying or revoking interfaces (not backwards compatible)
+dnl   (we should never do this)
 dnl     a.b.c => a+1.0.0
 dnl
 dnl   After a release:
@@ -21,4 +23,4 @@
 dnl --------------------------------------------------------
 dnl
 dnl This file is m4-included from configure.ac.
-m4_define([kpse_version], [6.3.6/dev])
+m4_define([kpse_version], [6.4.0/dev])



More information about the tex-live-commits mailing list.