Packaging of a standalone program (Digestif)
Augusto Stoffel
arstoffel at gmail.com
Tue Nov 29 10:02:32 CET 2022
On Tue, 29 Nov 2022 at 05:25, Marcel Fabian Krüger wrote:
> On Tue, Nov 29, 2022 at 01:11:05AM +0100, Augusto Stoffel wrote:
>> Yes. You can also just place the files in the current directory since
>>
>> $ kpsewhich -var-brace-value TEXINPUTS | awk -F: '{print $1}'
>> .
>>
>> which in my view is a potential security issue in LuaTeX. For instance,
>> if someone sends you a directory containing a file citeproc.so and a tex
>> file that eventually calls require("citeproc"), then they can get your
>> machine to execute arbitrary code from citeproc.so if kpathsearch
>> doesn't find a file citeproc.lua somewhere else (e.g. if you haven't
>> installed citeproc-lua yet).
>
> That's exactly the reason why loading .so files is only enabled if
> `--shell-escape` is enabled. If you use shell escape compiling untrusted
> documents can lead to arbitrary code execution anyway, without shell escape
> LuaTeX will not load citeproc.so.
Ah, good. This detail is not mentioned in the manual.
But the issue I described still applies to scripts with the
#!/usr/bin/env texlua
shebang, as provided by citeproc-lua and certainly a number of other
packages. Unless every package author remembers to say
os.setenv("TEXMFDOTDIR", "/lets/be/safe")
or use
#!/usr/bin/env -S TEXMFDOTDIR=/dev/null texlua
or similar, a certain level of vulnerability is present. (Note also
that this solution is not completely portable among OS. What is a
directory name that's more or less guaranteed not to exist on Windows?)
More information about the tex-live
mailing list.