Packaging of a standalone program (Digestif)
Marcel Fabian Krüger
tex at 2krueger.de
Tue Nov 29 05:25:22 CET 2022
On Tue, Nov 29, 2022 at 01:11:05AM +0100, Augusto Stoffel wrote:
> Yes. You can also just place the files in the current directory since
>
> $ kpsewhich -var-brace-value TEXINPUTS | awk -F: '{print $1}'
> .
>
> which in my view is a potential security issue in LuaTeX. For instance,
> if someone sends you a directory containing a file citeproc.so and a tex
> file that eventually calls require("citeproc"), then they can get your
> machine to execute arbitrary code from citeproc.so if kpathsearch
> doesn't find a file citeproc.lua somewhere else (e.g. if you haven't
> installed citeproc-lua yet).
That's exactly the reason why loading .so files is only enabled if
`--shell-escape` is enabled. If you use shell escape compiling untrusted
documents can lead to arbitrary code execution anyway, without shell escape
LuaTeX will not load citeproc.so.
-- Marcel
More information about the tex-live
mailing list.