[tex-k] secure mode of dvips should be default

Paul Vojta vojta@math.berkeley.edu
Sat, 2 Jun 2001 17:45:39 -0700 (PDT)

> Date: Sat, 2 Jun 2001 23:15:59 +0100
> From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
> To: Sebastian Rahtz <sebastian.rahtz@computing-services.oxford.ac.uk>
> Cc: texlive@tug.org, tetex-pretest@informatik.uni-hannover.de,
>         tex-k@mail.tug.org
> Subject: Re: [tex-k] secure mode of dvips should be default

> What would be really nice would be three levels of security:
> -R0  no external commands executed
> -R1  only trusted commands executed, such as gs (it shouldn't be two
>      hard for the wizards to come up with such a list of commonly used
>      commands, and they should be called directly, not via a shell, to
>      avoid the possibility of shell tricks)
> -R2  pass any `command special to a shell to handle
> How feasible would this be?

Why would dvips want to execute gs?

What I've encountered is that ` is almost always used to call zcat
or gunzip -c, etc.  So the list of trusted commands could be
uncompress,gunzip,bunzip2.  With that list, I don't see much need
for -R0

Xdvi implements such a trusted list, sort of.  If xdvi encounters a
PostScript file whose name ends in .Z or .gz or .bz2, and if the first
2-3 bytes of the file are the correct magic bytes for the file type,
then xdvi will automatically pass the file through uncompress or gunzip
or bunzip2 before processing it.  IMHO, dvips should do the same
(and TeX, likewise, when getting bounding box information).

Comments, anyone?

--Paul Vojta, vojta@math.berkeley.edu