System queries with Lua: l3sys-query
Karl Berry
karl at freefriends.org
Wed Mar 6 00:34:25 CET 2024
Hi Joseph and David,
a script for doing (primarily) directory listings from Lua
https://github.com/latex3/l3sys-query
I passed it on to tlsecurity at tug.org for completeness, though I think
everyone there is also here.
The aim here is to be able to use it from restricted shell escape, which
means appropriate security review, etc. Hopefully we've been
conservative in that regard (currently it should simply refuse to
provide a listing at all outside pwd). Before thinking about a release,
I'd like to know what we need to do security-wise to have a chance to
get this into the default restricted list.
Do I understand correctly that the key safety bit is:
-- Look for absolute paths or any trying to leave the confines of the current
-- directory: this is not supported.
if match(spec,"%.%.") or
match(spec,"^/") or
match(spec,"^\\") or
match(spec,"[a-zA-Z]:") then
return
end
That looks ok to me. And when I tried running it, I got back the
expected blank line for anything untoward.
So I see no problems for security. I believe the --all option is
ineffective? (Which seems good.)
I have a number of non-security comments, but will write those up later
today or tomorrow. Wanted to send this off now. --thanks, karl.
More information about the tex-live
mailing list.