[tex-live] biber in texmf.cnf

Arno Trautmann Arno.Trautmann at gmx.de
Sat Sep 24 09:28:17 CEST 2011


Karl Berry wrote:
>      Oh, sorry, my question was unclear. I meant the section about shell-escape:
>      So, it is allowed to start bibtex without --shell-escape, but not biber.
>
> It is not an oversight.

I don't expect you guys to oversee anything ;)

>  We expended a lot of time and effort on
> auditing (and fixing) each program listed in shell_escape_commands.  The
> goal is to ensure, as best we could, that it is not possible for an
> arbitrary shell command to be run, or arbitrary file to be written, in
> the face of malicious input, weird cmdline args, etc.
>
> No such auditing has even been attempted for biber.  Just for a start, I
> would think that it would need to have taint mode enabled, and force
> loading its Perl::modules only from system directories.

So I should have indeed written to the biber list ;)

> Presumably in theory, with enough work, it would be possible to
> construct a "restricted" biber (as we did for epstopdf) that could be
> included.  That would be something to take up with Phil Kime.
> (Personally, I don't think risk/benefit is anywhere near good enough to
> bother with it.)

If you thinks so … well, maybe in TeX Live 2012?

However, thank you for your answer and all the work you've done!

Norbert Preining wrote:
 > Especially since those who need it can add a line to 
.../2011/texmf.cnf and override thus the system wide list of shell escapes.

Of course, but I'm thinking of a newcomer who wants to use a simple 
bibliography tool. And the most simple (in my opinion) and flexible is 
bibLaTeX + biber. But a newcomer should not at all be forced to 
manipulate the texmf.cnf. [Although the 2-pass with external call of 
biber will be helpful for them to understand the system.]

cheers
Arno


More information about the tex-live mailing list