[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC] MIME attachments for comint
From: |
Gregory Heytings |
Subject: |
Re: [RFC] MIME attachments for comint |
Date: |
Thu, 30 Sep 2021 08:49:22 +0000 |
But TeX markup could in principle execute arbitrary code.
I'm surprised and worried. Can you show how that can happen?
You probably know that TeX has a \write18{} command with which it is
possible to execute shell commands. The behavior of that command is (in
TeX Live) controlled by the shell_escape and shell_escape_commands
configuration variables in texmf.cnf. Their default values are:
shell_escape = p
which means that shell commands are allowed "partially", that is, that the
only allowed commands are those that are listed in shell_escape_commands:
shell_escape_commands =
bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,repstopdf,r-mpost,texosquery-jre8
But this restriction is easy to circumvent:
echo ls > bibtex
chmod +x bibtex
export PATH=.:$PATH
echo '\write18{bibtex}\bye' > test.tex
pdftex test.tex
In practice, this is not really a problem, because it requires to either
change one of the programs listed in shell_escape_commands, or to change
the PATH environment variable. But it's fragile nonetheless.