[tex-live] Status of restricted \write18 and epstopdf conversion

Manuel Pégourié-Gonnard mpg at elzevir.fr
Sun Oct 18 01:35:53 CEST 2009


Alexander Cherepanov a écrit :
> First of all, you talk about 
> rsync://tug.org/tldevsrc/Master/texmf-dist/scripts/epstopdf/epstopdf.pl
> (size: 17776, last changed: 2009/10/15 03:39:50), right?
> 
Right.

> As far as I can see, there are no checks for injections in --outfile= 
> at all.

You are perfectly right. Thanks a lot for noticing. I was so
concentrated on the openout_any checks for this one that I forgot the
injection problem.

> Arbitrary command execution is possible:
> 
>   ./repstopdf --outfile='out.pdf" - -c quit; echo Hi! > out; true "' input.eps
> 
> This should be prohibited, I suppose?
> 
Of course.

> The following should be prohibited as well:
> 
>   ./repstopdf --gscmd="gs
>   " input.eps
> 
>   ./repstopdf --autorotate="None
>   " input.eps
> 
Right. I should now my perl regexes better.

> There is a couple of quirks on Windows. Relative paths on other 
> drives (like "c:dir/file") are allowed. And alternate data streams 
> on NTFS (like "file:ads") are allowed (didn't test it but should work; 
> no big deal in a any case but to be on a safe side it's better to ban 
> it). Both could be ruled out by checking for a colon.
> 
Right.

> And you can use backslash as a path separator on cygwin:
> 
>   ./repstopdf --outfile='dir\..\..\..\out.pdf' input.eps
> 
> (tested on cygwin1.5 only).
> 
Ok. Cygwin is quite complicated to get right, being sort of a mix of
Unix and Windows. Thanks again for this information.

> Approximate patch:
> 
It looks like a good start at first glance. I'll review it more
thoroughly tomorrow (too tired now) and apply it.

> +  # disallow quote
> +  $ok = 0 if $OutputFilename =~ /"/;
> +  # disallow newline (just to be on a safe side)
> +  $ok = 0 if $OutputFilename =~ /\n/;

This is not enough to prevent injection.

repstopdf --debug --outfile="$(echo hi >~/pwned; echo foo.pdf)" foo.eps

still gives arbitrary command execution. This one can be circumvented,
at least on Unix, by quoting the outfile name with single quotes (and
then disallow single quote in the value, or better escape them (since a
legitimate user might want to use single quotes in his file names).

But I'm thinking it would probably be better to use the list form of
system() so that we avoid to call a shell at all, to really prevent
injection.

Manuel.


More information about the tex-live mailing list