[tex-live] Status of restricted \write18 and epstopdf conversion

Manuel Pégourié-Gonnard mpg at elzevir.fr
Sun Oct 18 22:04:31 CEST 2009

Manuel Pégourié-Gonnard a écrit :
>> There is a couple of quirks on Windows. Relative paths on other 
>> drives (like "c:dir/file") are allowed.

By the way, I'm surprised. According to my tests, those were catched by
the file_name_is_absolute() test. Anyway, I agree that we should forbid
':' for the sake of alternate data streams, so it doesn't matter.

> But I'm thinking it would probably be better to use the list form of
> system() so that we avoid to call a shell at all, to really prevent
> injection.
After a night's thinking, I didn't change my mind. Trying to trap every
possibly abusable shell special character is nearly impossible,
especially on windows, were quoting is so weird. In the latest version:


I applied your patch and changed the way we call GS in order to avoid
calling a shell (or a cmd.exe). This way, command-line injection is
definitely not possible.

The bad side is, this form of pipe open doesn't work on windows [1] so I
decided to use a temporary file here. According to my tests and
File::Temp's documentation, the temporary file is correctly removed when
the script finishes.

Since this is quite an important implementation change, testing
(especially on windows/cygwin) is very welcome.


[1] There is a workaround documented in perlfork. Unfortunately it
doesn't work with the Perl version we ship. It works however with Perl
5.10.0 from strawberry Perl, according to my tests.

More information about the tex-live mailing list