On Dec 22, 2006, at 11:44 AM, Jeremy C. Reed wrote:
I am working on a system that generates latex and PDFs from data
provided
from the public.
I don't want to allow public to accidently or maliciously embed
some code
that breaks latex or breaks the system.
Can anyone point me to some URLs or docs or provide examples of
what could
be dangerous?
Does latex allow running commands?
One problem I imagine is attempting to include some abritrary file.
I will try to strip out possible tex commands from data but want to
make
sure I don't miss anything.
Thanks!
One dangerous thing I'm aware of is the tex command \write18{} which
lets you exectute arbitrary shell scripts, if that's enabled in your
texmf.cnf configuration file. This is not enable by default in the
tetex distribution I have installed on my Mac through fink, but it is
enabled in another tex distribution for the same platform (MacTeX),
so I think one can't be sure a priori. You could simply create a test
file like the following :
\documentclass{article}
\begin{document}
Hello
\write18{ls}
\end{document}
and run pdflatex on it. If this produces a directory listing amongst
the other command-line output, then the \write18 security hole
exists. There's more information to be found by googling "tex write18".
Jens
