More info about LuaTeX 1.17.0 (security update)
Max Chernoff
mseven at telus.net
Tue May 23 00:48:46 CEST 2023
Hi Ken,
> en at deluxe /tmp $lualatex shell-escape-test.tex
> This is LuaHBTeX, Version 1.16.0 (TeX Live 2023)
> restricted system commands enabled.
> (./shell-escape-test.tex
> LaTeX2e <2022-11-01> patch level 1
> L3 programming layer <2023-02-22>sh: line 1: shell-escape-test.tex:
> command not found
The document attempts to run the last argument given on the command
line, so you need to run:
$ lualatex shell-escape-test.tex "sh -c 'echo @@@VULNERABLE@@@'"
I did it this way so that on Windows you could do something like:
$ luatex shell-escape-test.tex calc.exe
You can also make a more exciting demonstration on Linux too:
$ optex --no-shell-escape shell-escape-test.tex poweroff
-- Max
More information about the tex-live
mailing list.