[tex-live] biber in texmf.cnf
Arno.Trautmann at gmx.de
Sat Sep 24 09:28:17 CEST 2011
Karl Berry wrote:
> Oh, sorry, my question was unclear. I meant the section about shell-escape:
> So, it is allowed to start bibtex without --shell-escape, but not biber.
> It is not an oversight.
I don't expect you guys to oversee anything ;)
> We expended a lot of time and effort on
> auditing (and fixing) each program listed in shell_escape_commands. The
> goal is to ensure, as best we could, that it is not possible for an
> arbitrary shell command to be run, or arbitrary file to be written, in
> the face of malicious input, weird cmdline args, etc.
> No such auditing has even been attempted for biber. Just for a start, I
> would think that it would need to have taint mode enabled, and force
> loading its Perl::modules only from system directories.
So I should have indeed written to the biber list ;)
> Presumably in theory, with enough work, it would be possible to
> construct a "restricted" biber (as we did for epstopdf) that could be
> included. That would be something to take up with Phil Kime.
> (Personally, I don't think risk/benefit is anywhere near good enough to
> bother with it.)
If you thinks so … well, maybe in TeX Live 2012?
However, thank you for your answer and all the work you've done!
Norbert Preining wrote:
> Especially since those who need it can add a line to
.../2011/texmf.cnf and override thus the system wide list of shell escapes.
Of course, but I'm thinking of a newcomer who wants to use a simple
bibliography tool. And the most simple (in my opinion) and flexible is
bibLaTeX + biber. But a newcomer should not at all be forced to
manipulate the texmf.cnf. [Although the 2-pass with external call of
biber will be helpful for them to understand the system.]
More information about the tex-live