[tex-live] Status of restricted \write18 and epstopdf conversion

Alexander Cherepanov cherepan at mccme.ru
Mon Oct 19 00:01:20 CEST 2009

Hi Manuel!
On Sun, 18 Oct 2009 22:04:31 +0200, Manuel Pégourié-Gonnard <mpg at elzevir.fr> wrote:

>>> There is a couple of quirks on Windows. Relative paths on other 
>>> drives (like "c:dir/file") are allowed.

> By the way, I'm surprised. According to my tests, those were catched by
> the file_name_is_absolute() test. 

That's strange. The following perl script:

  use File::Spec::Functions qw(file_name_is_absolute);
  print file_name_is_absolute("c:dir/file") ? "absolute" : "relative";

gives "relative" for me on linux, windows (bundled tlperl), and 
cygwin. And this is right as this path is not absolute:-) IMHO this 
path is neither relative but there is no file_name_is_relative 
function to check for this.

> Anyway, I agree that we should forbid
> ':' for the sake of alternate data streams, so it doesn't matter.

>> But I'm thinking it would probably be better to use the list form of
>> system() so that we avoid to call a shell at all, to really prevent
>> injection.

> After a night's thinking, I didn't change my mind. Trying to trap every
> possibly abusable shell special character is nearly impossible,
> especially on windows, were quoting is so weird. In the latest version:
> http://tug.org/svn/texlive/trunk/Master/texmf-dist/scripts/epstopdf/epstopdf.pl
> I applied your patch and changed the way we call GS in order to avoid
> calling a shell (or a cmd.exe). This way, command-line injection is
> definitely not possible.


> The bad side is, this form of pipe open doesn't work on windows [1] so I
> decided to use a temporary file here.


> According to my tests and
> File::Temp's documentation, the temporary file is correctly removed when
> the script finishes.

Seems so.

> Since this is quite an important implementation change, testing
> (especially on windows/cygwin) is very welcome.

Basic tests works fine for me on linux, windows, and cygwin1.5. 
cygwin1.5 work with temporary file and with pipe. So you can leave 
temporary file only for bare windows if you want.

Alexander Cherepanov

More information about the tex-live mailing list