[texworks] HELP: Integrated Tw LaTeX2e Help dialogue
Paul A Norman
paul.a.norman at gmail.com
Thu Jul 1 04:25:13 CEST 2010
Dear Reinhard,
Excellant concept, and on top of that we have Provenance.
In that the main question is how does a malicious script get into the
appropriate directories?
There are a great number of people who do not want to learn/do any
scripting but appreciate extra functionality or core type
functionality provided by scripts.
In many projects scripting is being recognised as just another and
important part of the development process.
If people download their scripts from known sources, thats the first safegurad.
Now if some diabolical person decides to take it upon themselves to
wreck havoc through people's usage of Tw I am afraid there are far far
easier, and more dastedly things they could do, than try to trick
people into letting them foist malicious scripts onto others.
Things we could barely detect or protect ourselves from, except
perhaps with heuristic levels set so high an OS would slow down too
much. Please accept that I do not wish to discuss this aspect any
further.
There is a saying I always try to kep in mind, ` The sluggard says,
"There is a lion outside!" or, "I will be murdered in the streets!". '
Pr 22:13, c.f. Pr 28:1
To me it means that yes there are dangers and problems, but if we, as
you suggest, work hard looking for necessary safguards, then we should
not fear the lion -- but be as bold as one in what we do!
Paul
On 1 July 2010 12:39, Reinhard Kotucha <reinhard.kotucha at web.de> wrote:
> On 1 July 2010 Paul A Norman wrote:
>
> > Now the issue is: should Tw scripting genreally have various forms of
> > file access or not.
> >
> > If it is not consdidered safe, then logically we must disable it for
> > the Lua and Python and any other future scripting modules as well.
>
> If such a script is able to create/overwrite a file called ~/.rhosts
> I'm quite concerned. The world is not as friendly as had been
> 20~years ago.
>
> It would be nice if the level of paranoia can be defined in texmf.cnf .
>
> Example:
>
> > % Allow TeX \openin, \openout, or \input on filenames starting with `.'
> > % (e.g., .rhosts) or outside the current tree (e.g., /etc/passwd)?
> > % a (any) : any file can be opened.
> > % r (restricted) : disallow opening "dotfiles".
> > % p (paranoid) : as `r' and disallow going to parent directories, and
> > % restrict absolute paths to be under $TEXMFOUTPUT.
> > openout_any = p
> > openin_any = a
>
> Regards,
> Reinhard
>
> --
> ----------------------------------------------------------------------------
> Reinhard Kotucha Phone: +49-511-3373112
> Marschnerstr. 25
> D-30167 Hannover mailto:reinhard.kotucha at web.de
> ----------------------------------------------------------------------------
> Microsoft isn't the answer. Microsoft is the question, and the answer is NO.
> ----------------------------------------------------------------------------
>
More information about the texworks
mailing list