On Friday, January 24th, 2025 at 14:53, luigi scarso <luigi.sca...@gmail.com> wrote:
> > > On Fri, 24 Jan 2025 at 13:06, Lukas Heindl via luatex <luatex@tug.org> wrote: > > > Hi, > > > > alright, I see. > > > > There is one (not security critical) odd thing regarding these wrappers. > > Why do you check names/paths for output and input regarding kpse when > > wrapping mkdir? [1] > > Checking if it's a valid output totally makes sense, but why also check if > > it's a valid output? > > (sorry for bothering again, but since this is security related, I don't > > want to silently ignore this here) > > > > I see according to git blame this was changed ~1 year ago when adding the > > wrapper but maybe someone still knows the rational behind this. > > Also to be clear, I'm not seeking to remove the additional check in luatex, > > I just want to understand (and react based on it for the custom wrapper I'm > > writing). > > > iirc to be safe with in/out names, see kpathsea.info 5.6.4 Auxiliary tasks . > > -- > luigi Hi, I see [1] describes what these functions check. But I still don't quite get how mkdir is related to input names. Isn't mkdir exclusively about output stuff? Lukas [1]: https://tug.org/texinfohtml/kpathsea.html#Auxiliary-tasks
