Packaging of a standalone program (Digestif)

Augusto Stoffel arstoffel at
Tue Nov 29 10:02:32 CET 2022

On Tue, 29 Nov 2022 at 05:25, Marcel Fabian Krüger wrote:

> On Tue, Nov 29, 2022 at 01:11:05AM +0100, Augusto Stoffel wrote:
>> Yes.  You can also just place the files in the current directory since
>>      $ kpsewhich -var-brace-value TEXINPUTS | awk -F: '{print $1}'
>>      .
>> which in my view is a potential security issue in LuaTeX.  For instance,
>> if someone sends you a directory containing a file and a tex
>> file that eventually calls require("citeproc"), then they can get your
>> machine to execute arbitrary code from if kpathsearch
>> doesn't find a file citeproc.lua somewhere else (e.g. if you haven't
>> installed citeproc-lua yet).
> That's exactly the reason why loading .so files is only enabled if
> `--shell-escape` is enabled. If you use shell escape compiling untrusted
> documents can lead to arbitrary code execution anyway, without shell escape
> LuaTeX will not load

Ah, good.  This detail is not mentioned in the manual.

But the issue I described still applies to scripts with the

     #!/usr/bin/env texlua

shebang, as provided by citeproc-lua and certainly a number of other
packages.  Unless every package author remembers to say

   os.setenv("TEXMFDOTDIR", "/lets/be/safe")

or use

    #!/usr/bin/env -S TEXMFDOTDIR=/dev/null texlua

or similar, a certain level of vulnerability is present.  (Note also
that this solution is not completely portable among OS.  What is a
directory name that's more or less guaranteed not to exist on Windows?)

More information about the tex-live mailing list.