[tex-live] epstopdf.sty 2008 vs 2009
Heiko Oberdiek
oberdiek at uni-freiburg.de
Fri Aug 14 07:58:02 CEST 2009
On Thu, Aug 13, 2009 at 07:45:42PM -0500, Karl Berry wrote:
> recent versions of (pdf)latex do not allow calling remote programs.
>
> This year will be the first time that we have enabled external
> execution, now in the new "restricted" mode.
That is in fact quite unrestricted with the current list of
allowed programs. The list has improved, but there are still
too many security holes:
% running through etex, latex, pdflatex, ...
\immediate\write18{ls -l}% disallowed
\immediate\write18\expandafter{\detokenize{%
etex -shell-escape \immediate\write18{ls -l}\end
}}% but this is allowed
\csname @@end\endcsname\end
Problematic entries in the list:
* etex
* pdfluatex
and perhaps others.
If theses programs should be part of the list, then
the code that checks the program call could add a check
for (Perl pattern):
\w--?shell-e
* Options can start with one or two hyphens.
* Options can be abbreviated. Because of "-shell-restricted"
the shortest variant is "-shell-e".
* -no-shell-escape is ok.
> Needs to be emblazoned in
> many announcements, since it'll require changes by the admins who need
> maximum paranoia, and there are some who have good reason for it.
I don't think, it needs "maximum" paranoia for the wish that
restricted mode does not allow the execution of arbitrary programs.
Some of the security problems that should be addressed:
a) The executed programs must be known. It should be impossible
for an attacker to write a program/script/batch file with
a allowed name and call it afterwards. Main problem is
the current directory in PATH (not recommended anyway, but who
knows). The position doesn't matter. If the current directory
is the last one, then the attacker can still use names of
programs that aren't installed.
b) Arbitrary command calls must not be allowed. That requires
that each program that wants to be added to the allowed list
must be checked/audited/discussed, whether this is possible.
c) Writing files: Except for TeX programs external programs
don't know about `openout_any' or `openin_any'. Thus they
are able to write their results in any place that the
operating system permits. This is the price of restricted
mode. At least it should be impossible to write arbitrary
files. Settings of openout_any or openout_in aren't
necessarily inherited. Care is necessary, e.g.
texmf.cnf allows "openout_any=a", but `etex' is called
with environment variable "openout_any.etex=p", but the
called program is `pdfluatex' ...
Yours sincerely
Heiko <oberdiek at uni-freiburg.de>
More information about the tex-live
mailing list