Packaging of a standalone program (Digestif)

Marcel Fabian Krüger tex at 2krueger.de
Tue Nov 29 05:25:22 CET 2022


On Tue, Nov 29, 2022 at 01:11:05AM +0100, Augusto Stoffel wrote:
> Yes.  You can also just place the files in the current directory since
> 
>      $ kpsewhich -var-brace-value TEXINPUTS | awk -F: '{print $1}'
>      .
> 
> which in my view is a potential security issue in LuaTeX.  For instance,
> if someone sends you a directory containing a file citeproc.so and a tex
> file that eventually calls require("citeproc"), then they can get your
> machine to execute arbitrary code from citeproc.so if kpathsearch
> doesn't find a file citeproc.lua somewhere else (e.g. if you haven't
> installed citeproc-lua yet).

That's exactly the reason why loading .so files is only enabled if
`--shell-escape` is enabled. If you use shell escape compiling untrusted
documents can lead to arbitrary code execution anyway, without shell escape
LuaTeX will not load citeproc.so.

-- Marcel


More information about the tex-live mailing list.