# [tex-live] epstopdf.sty 2008 vs 2009

Heiko Oberdiek oberdiek at uni-freiburg.de
Fri Aug 14 07:58:02 CEST 2009

On Thu, Aug 13, 2009 at 07:45:42PM -0500, Karl Berry wrote:

>
> This year will be the first time that we have enabled external
> execution, now in the new "restricted" mode.

That is in fact quite unrestricted with the current list of
allowed programs. The list has improved, but there are still
too many security holes:

% running through etex, latex, pdflatex, ...
\immediate\write18{ls -l}% disallowed
\immediate\write18\expandafter{\detokenize{%
etex -shell-escape \immediate\write18{ls -l}\end
}}% but this is allowed
\csname @@end\endcsname\end

Problematic entries in the list:
* etex
* pdfluatex
and perhaps others.

If theses programs should be part of the list, then
the code that checks the program call could add a check
for (Perl pattern):
\w--?shell-e
* Options can be abbreviated. Because of "-shell-restricted"
the shortest variant is "-shell-e".
* -no-shell-escape is ok.

> Needs to be emblazoned in
> many announcements, since it'll require changes by the admins who need
> maximum paranoia, and there are some who have good reason for it.

I don't think, it needs "maximum" paranoia for the wish that
restricted mode does not allow the execution of arbitrary programs.
Some of the security problems that should be addressed:
a) The executed programs must be known. It should be impossible
for an attacker to write a program/script/batch file with
a allowed name and call it afterwards. Main problem is
the current directory in PATH (not recommended anyway, but who
knows). The position doesn't matter. If the current directory
is the last one, then the attacker can still use names of
programs that aren't installed.
b) Arbitrary command calls must not be allowed. That requires
that each program that wants to be added to the allowed list
must be checked/audited/discussed, whether this is possible.
c) Writing files: Except for TeX programs external programs
don't know about openout_any' or openin_any'. Thus they
are able to write their results in any place that the
operating system permits. This is the price of restricted
mode. At least it should be impossible to write arbitrary
files. Settings of openout_any or openout_in aren't
necessarily inherited. Care is necessary, e.g.
texmf.cnf allows "openout_any=a", but etex' is called
with environment variable "openout_any.etex=p", but the
called program is pdfluatex' ...

Yours sincerely
Heiko <oberdiek at uni-freiburg.de>