texlua-based tool and restricted shell escape
Joseph Wright
joseph.wright at morningstar2.co.uk
Wed Feb 21 08:46:38 CET 2024
On 21/02/2024 07:16, Joseph Wright wrote:
> Hi Karl,
>
> On 20/02/2024 22:16, Karl Berry wrote:
>> Hi Joseph,
>>
>> In the notes for the upcoming TL'24 version of LuaTeX, it seems
>> that lfs
>> functions should be able to work safely in restricted shell
>> escape mode.
>> Is that a fair reading?
>>
>> Yes. That's exactly the goal. I won't be surprised if there is some
>> nefarious way to get around the protections (testers welcome), but we
>> did our best. (Luigi and Marcel did all the real work; thanks, guys.)
>
> Thanks for confirming: it's a bit hard to test ad hoc as of course I
> don't have an entry for the script in those things allowed in restricted
> shell escape just yet ... so I can only test unrestricted :) (If this
> looks like it will work, I will of course test locally.) I'm very happy
> to hear that I shouldn't need to worry at the script end, with the
> engine making sure things work properly.
>
>> wondering about putting together a Lua-based script that would do
>> the
>>
>> A Lua-based texosquery would be most welcome as far as I'm concerned. I
>> see no problem, in principle, with including it in
>> shell_escape_commands. I don't see any real difference between providing
>> functionality in language X vs. language Y. (Pace memoize-extract.pl
>> vs. .py ...)
>
> Sure: it was a question of whether you feel Lua can meet the fundamental
> security requirements. To be clear, I'm not necessarily thinking of all
> of the functionality of texosquery at the moment, rather focussed ideas
> that fit in with a use case I have in mind.
More specifically, as well as platform-neutral ls, I'm also thinking of
platform-neutral pwd. I note both are offered by texosquery.
Joseph
More information about the tex-live
mailing list.