Packaging of a standalone program (Digestif)

Marcel Fabian Krüger tex at
Tue Nov 29 05:25:22 CET 2022

On Tue, Nov 29, 2022 at 01:11:05AM +0100, Augusto Stoffel wrote:
> Yes.  You can also just place the files in the current directory since
>      $ kpsewhich -var-brace-value TEXINPUTS | awk -F: '{print $1}'
>      .
> which in my view is a potential security issue in LuaTeX.  For instance,
> if someone sends you a directory containing a file and a tex
> file that eventually calls require("citeproc"), then they can get your
> machine to execute arbitrary code from if kpathsearch
> doesn't find a file citeproc.lua somewhere else (e.g. if you haven't
> installed citeproc-lua yet).

That's exactly the reason why loading .so files is only enabled if
`--shell-escape` is enabled. If you use shell escape compiling untrusted
documents can lead to arbitrary code execution anyway, without shell escape
LuaTeX will not load

-- Marcel

More information about the tex-live mailing list.