texlua-based tool and restricted shell escape
Zdenek Wagner
zdenek.wagner at gmail.com
Wed Feb 21 01:25:06 CET 2024
Hi,
I am one of the users who disabled shell_escape. The shell_escape
commands are defined without full paths thus it is possible that a
malicious program with that name will be written to the computer and
executed. If someone sends me a file which relies on shell_escape, it
will not work on my computers.
Zdeněk Wagner
https://www.zdenek-wagner.eu/
st 21. 2. 2024 v 1:10 odesílatel Reinhard Kotucha via tex-live
<tex-live at tug.org> napsal:
>
> On 2024-02-20 at 15:16:04 -0700, Karl Berry wrote:
>
> > Whether the equivalent of "ls" (what texosquery does) should be an
> > allowed operation [...]
>
> Is this Java related?
>
> In my texlua scripts I can read and write files, list contents of
> directories, etc. Of course, all limited by the settings of
> openin_any and openout_any.
>
> Regards,
> Reinhard
>
> --
> ------------------------------------------------------------------
> Reinhard Kotucha Phone: +49-511-3373112
> Marschnerstr. 25
> D-30167 Hannover mailto:reinhard.kotucha at gmx.de
> ------------------------------------------------------------------
>
More information about the tex-live
mailing list.