[tex-live] Status of restricted \write18 and epstopdf conversion
Manuel Pégourié-Gonnard
mpg at elzevir.fr
Tue Oct 27 12:21:13 CET 2009
Philip TAYLOR a écrit :
> OK, I don't want to pursue this one excessively (mainly because,
> it being a glorious autumn day, I am keen to get out cycling),
I don't want to discuss this in details right now either, because this
feature has been temporarily withdrawn, and until TL09 is released, I
prefer concentrating on problems with TL09. We can discuss it later, of
course.
> but isn't it /possible/ that through a clever combination of
> dirty tricks, a Trojan could fake one of the very commands
> that the restricted version of shell-escape is willing
> to execute, thereby once again compromising the whole system ?
>
One of the reasons that made us withdraw the feature for now is
precisely that this is not impossible now. When we re-introduce the
feature, we will try hard to make sure this (and other kinds of attacks)
is not possible. (Of course one can never be 100% sure, but the same is
true for many other features of *TeX and other software.)
Manuel.
More information about the tex-live
mailing list