On 09/08/2017 09:05, Guenter Milde wrote:
For EPS to PDF this means we could preferably use "repstopdf" instead of
"epstopdf".
"repstopdf" is the version "whitelisted" in texmf.cnf for use with the
restricted shell access.
On my Debian system, it is just a symlink to epstopdf:
Ubuntu 17.04:
$ epstopdf -h | grep restricted
--restricted use restricted mode (default: false)
$ repstopdf -h | grep restricted
--restricted use restricted mode (default: true)
Guess this is the standard. So, would we need the attached patch ?
T.
commit b5c5a5a8
Author: Tommaso Cucinotta <tomm...@lyx.org>
Date: Thu Aug 10 10:59:47 2017 +0200
Switch to restricted repstopdf instead of regular epstopdf, for security reasons.
diff --git a/lib/configure.py b/lib/configure.py
index 8e7fedbb..46d797e6 100644
--- a/lib/configure.py
+++ b/lib/configure.py
@@ -996,15 +996,15 @@ def checkConverterEntries():
checkProg('an EMF -> PDF converter', [inkscape_name + ' --file=$$i --export-area-drawing --without-gui --export-pdf=$$o'],
rc_entry = [ r'\converter emf pdf6 "%%" ""'])
# Only define a converter to pdf6 for graphics
- checkProg('an EPS -> PDF converter', ['epstopdf'],
- rc_entry = [ r'\converter eps pdf6 "epstopdf --outfile=$$o $$i" ""'])
+ checkProg('an EPS -> PDF converter', ['repstopdf'],
+ rc_entry = [ r'\converter eps pdf6 "repstopdf --outfile=$$o $$i" ""'])
#
checkProg('an EPS -> PNG converter', ['magick $$i $$o', 'convert $$i $$o'],
rc_entry = [ r'\converter eps png "%%" ""'])
#
# no agr -> pdf6 converter, since the pdf library used by gracebat is not
# free software and therefore not compiled in in many installations.
- # Fortunately, this is not a big problem, because we will use epstopdf to
+ # Fortunately, this is not a big problem, because we will use repstopdf to
# convert from agr to pdf6 via eps without loss of quality.
checkProg('a Grace -> Image converter', ['gracebat'],
rc_entry = [
