On Fri, 24 Jan 2025 at 13:06, Lukas Heindl via luatex <luatex@tug.org> wrote:
> Hi, > > alright, I see. > > There is one (not security critical) odd thing regarding these wrappers. > Why do you check names/paths for output and input regarding kpse when > wrapping mkdir? [1] > Checking if it's a valid output totally makes sense, but why also check if > it's a valid output? > (sorry for bothering again, but since this is security related, I don't > want to silently ignore this here) > > I see according to git blame this was changed ~1 year ago when adding the > wrapper but maybe someone still knows the rational behind this. > Also to be clear, I'm not seeking to remove the additional check in > luatex, I just want to understand (and react based on it for the custom > wrapper I'm writing). > > iirc to be safe with in/out names, see kpathsea.info 5.6.4 Auxiliary tasks . -- luigi
