[tex-k] secure mode of dvips should be default

Tzafrir Cohen tzafrir@technion.ac.il
Fri, 1 Jun 2001 23:19:48 +0300 (IDT)


On Fri, 1 Jun 2001, Tomas G. Rokicki wrote:

> Thanks for the email on dvips security!
> Can you explain why secure mode should be on by default?
> In other words, how might I run TeX and/or dvips over
> untrusted code?Provide me with a convincing attack
> scenario.A time bomb in some macro source somewhere that
> gets included into a distribution?
> Certainly if someone embeds dvips into some sort of automatic,
> MIME-driven viewer, yes, secure mode should be set on, but
> for command-line use?

Suppose I post something as postscript or DVI and put it in my web page.
Some people may view that directly from the browser: let the browser
execute the appropriate commands that will make the document appear on my
display or be printed.

Others may download it and view it off-line. Do they need to "sanitize"
anything they download from my untrusted web page? I thought that DVI was
supposed to be a document format, and not yet another method for batch
execution. If "safer" won't be the default, then the user will forget to
add this option.

I know that dvips is a program that reads a certain input and writes a
certain output as spesified in the command-line. I don't want to be
surprised by some strange documents.

I think that the example of macros of ms-office documents teaches us all
that macros with unlimited abilities in documents of not totally trusted
sources are a source of troubles.

Tzafrir Cohen