[tex-live] Security issues for restricted shell escape

Heiko Oberdiek oberdiek at uni-freiburg.de
Fri Jul 17 19:28:11 CEST 2009


texmf.cnf contains in current pretest:

| % Enable system commands via \write18{...}.  When enabled fully (set to
| % 1), obviously insecure.  When enabled partially (set to p), only the
| % commands listed in shell_escape_commands are allowed.  Although this
| % is not fully secure either, it is much better, and so useful that we
| % enable it for everything but bare tex.
| shell_escape = p
| % No spaces in this command list.
| shell_escape_commands = \
| bibtex,convert,dvips,epstopdf,epspdf,etex,fc-match,gnuplot,\
| kpsewhich,latex,luatex,lualatex,makeindex,mpost,\
| pdfcrop,pdflatex,pdfluatex,ps2pdf,ps4pdf,pstopdf,pygmentize,\
| tex,texexec,texmfstart,ulqda\
| % plain TeX should remain unenhanced.
| shell_escape.tex = f

Setting "p" isn't much better than "1". The security holes are
huge. Many programs of the command list allow the execution
of arbitrary programs, examples:

* The call of "tex -shell-escape" with embedded calls to arbitrary
  programs is possible; the same for the other TeX variants.
* Version 1.17 closes some security holes in pdfcrop
  (using -dSAFER for ghostscript, -no-shell-escape,
  and validating arguments.) However it allows the configuration
  of programs that are called by the script (Ghostscript,
  pdfTeX or XeTeX). At least I have forbidden backticks and
  whitespace and the arguments are under the control of pdfcrop.
  However there might be malicious programs that igore their
  arguments ...
* ...

Yours sincerely
  Heiko <oberdiek at uni-freiburg.de>

More information about the tex-live mailing list