texlua-based tool and restricted shell escape
Joseph Wright
joseph.wright at morningstar2.co.uk
Tue Feb 20 21:03:31 CET 2024
Hello Jonathan,
On 20/02/2024 19:54, Jonathan Fine wrote:
> Is there anyone from the arXiv reading this thread? It would be a shame if
> this feature delayed the deployment of tagged PDF via Latex. Or in any
> other way caused difficulty for the arXiv's very important typesetting
> service.
>
> By the way, the arxiv hosts:
> Title: Can You Accept LaTeX Files from Strangers? Ten Years Later
> https://arxiv.org/abs/2102.00856
>
> I'd be wary of running third party Latex files that could export via PDF
> important information about the system that is typesetting the files. For
> example, such information could reveal an unpatched vulnerability. This is
> discussed in section 3.2 of "Can you accept ...".
Restricted shell escape would mean a limit to directory listing to the
current working directory: this is seen for example in the existing
texosquery tool. I am not at present sure, but I suspect that the
changes for TL'24 at the engine level may well already ensure this: one
reason for the original query.
> Sometimes the name of a user file contains important information eg
> 2024-02-24-appointment-letter.pdf
Of course: already available from \jobname.
I note that "paranoid" security would disable such a tool in any case,
and that the particularly concerned can vet the entries allowed for
restricted shell escape themselves.
Regards,
Joseph
More information about the tex-live
mailing list.