[tex-live] Status of restricted \write18 and epstopdf conversion

Alexander Cherepanov cherepan at mccme.ru
Sun Oct 18 22:39:43 CEST 2009


Hi Manuel!
On Sun, 18 Oct 2009 01:35:53 +0200, Manuel Pégourié-Gonnard <mpg at elzevir.fr> wrote:

>> And you can use backslash as a path separator on cygwin:
>> 
>>   ./repstopdf --outfile='dir\..\..\..\out.pdf' input.eps
>> 
>> (tested on cygwin1.5 only).

> Ok. Cygwin is quite complicated to get right, being sort of a mix of

Definitely.

> Unix and Windows. Thanks again for this information.

>> Approximate patch:

> It looks like a good start at first glance. I'll review it more
> thoroughly tomorrow (too tired now) and apply it.

>> +  # disallow quote
>> +  $ok = 0 if $OutputFilename =~ /"/;
>> +  # disallow newline (just to be on a safe side)
>> +  $ok = 0 if $OutputFilename =~ /\n/;

> This is not enough to prevent injection.
> 
> repstopdf --debug --outfile="$(echo hi >~/pwned; echo foo.pdf)" foo.eps

(probably you mean single quotes here, so command substitution happens 
when calling gs, not when calling repstopdf)

> still gives arbitrary command execution. This one can be circumvented,
> at least on Unix, by quoting the outfile name with single quotes (and
> then disallow single quote in the value, or better escape them (since a
> legitimate user might want to use single quotes in his file names).

I've also thought about all this quoting but only after sending the 
email out:-( That requires some work...
Other issue here is environment variables like %TEMP% on Windows.

> But I'm thinking it would probably be better to use the list form of
> system() so that we avoid to call a shell at all, to really prevent
> injection.

This is also not that easy but you seem to manage it (just received 
your next mail), nice. Will look into the new version now.

Alexander Cherepanov




More information about the tex-live mailing list