[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC] MIME attachments for comint
From: |
Augusto Stoffel |
Subject: |
Re: [RFC] MIME attachments for comint |
Date: |
Thu, 30 Sep 2021 09:09:46 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
On Thu, 30 Sep 2021 at 02:02, Richard Stallman <rms@gnu.org> wrote:
> [[[ To any NSA and FBI agents reading my email: please consider ]]]
> [[[ whether defending the US Constitution against all enemies, ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
> > But TeX markup could in principle execute arbitrary code.
>
> I'm surprised and worried. Can you show how that can happen?
>From the tex manpage:
-shell-escape
Enable the \write18{command} construct. The command can be any
shell command. This construct is normally disallowed for secu‐
rity reasons.
On luatex, this switch also controls the availability of certain Lua
functions: os.execute(), os.exec(), os.spawn(), and io.popen().
This option is off by default, or at least should be in a sane OS --
that's why I said “could in principle”. Also, I don't know exactly how
Org mode deals with this potential security issue in its LaTeX-preview
functionality, but I would expect this has been taken into
consideration.
In any case, I disabled TeX rendering in my little package for the time
being, until I'm confident it's safe.