[tex-live] Status of restricted \write18 and epstopdf conversion
mpg at elzevir.fr
Tue Oct 20 00:31:31 CEST 2009
Alexander Cherepanov a écrit :
>> By the way, this particular example doesn't
>> work with TeX, since it will write .ssh/authorized_keys.tex (I tried).
> And here repstopdf starts to differ from tex.
> BTW it's easy to bypass this restriction under windows: just add a
> dot at the end of file name -- it's ignored by os but makes tex think
> that there is already an extension.
I don't think it is intended to be a restriction anyway.
> Then openout_any=r seems strange. It gives false sense of security.
> The problem is not that it doesn't work, but rather that it makes you
> think that it works while not really protecting.
Perhaps it should be better documented...
>>> 2. repstopdf --nogs " ../file" (and ">../file") bypasses checks but
>>> you have already fixed it:-)
>> That's what I like with the list form of system(): it fixes things you
>> didn't even think about. :-)
> It's a similar but distinct issue -- note --nogs. It was fixed by
> open($OUT, '>', $OutputFilename)
Oh, right, I didn't read your example carefully enough. I made this
change routinely, I had no example of abuse in mind. Thanks for
providing one :-)
>> Right. I'm going to implement real support for openXX_any this evening
>> (must do real-life work now): most of the job is already done.
Well, finally not. Looks like we are not shipping with restricted
\write18 enabled by default (nor easy to enable) after all (I just
discovered a quoting problem in the C part of the code on Unix, which
can be solved only by patching then recompiling everything).
Anyway, thanks a lot for all your help!
More information about the tex-live