System queries with Lua: l3sys-query

David Carlisle d.p.carlisle at
Wed Mar 6 01:01:04 CET 2024

On Tue, 5 Mar 2024 at 23:35, Karl Berry <karl at> wrote:

> Hi Joseph and David,
>     a script for doing (primarily) directory listings from Lua
> I passed it on to tlsecurity at for completeness, though I think
> everyone there is also here.
>     The aim here is to be able to use it from restricted shell escape,
> which
>     means appropriate security review, etc. Hopefully we've been
>     conservative in that regard (currently it should simply refuse to
>     provide a listing at all outside pwd). Before thinking about a release,
>     I'd like to know what we need to do security-wise to have a chance to
>     get this into the default restricted list.
> Do I understand correctly that the key safety bit is:
>   -- Look for absolute paths or any trying to leave the confines of the
> current
>   -- directory: this is not supported.
>   if match(spec,"%.%.") or
>      match(spec,"^/") or
>      match(spec,"^\\") or
>      match(spec,"[a-zA-Z]:") then
>     return
>   end
> That looks ok to me. And when I tried running it, I got back the
> expected blank line for anything untoward.
> So I see no problems for security. I believe the --all option is
> ineffective? (Which seems good.)

--all enables .files in the current directory being read.

If the current directory has foo.tex and .foo then .foo is not listed
unless --all is used

$ ./l3sys-query.lua ls '*foo*'

$ ./l3sys-query.lua ls --all '*foo*'

If openin_any = p is in force the calling tex system wouldn't be able to
read .foo but (currently at least)  it shows in the directory listing.
I think that's compatible with openin_any=p (which actually is in force
above) otherwise we would (I think) have to add a call to
kpsewhich -var-value 'openin_any'
to disable --all in that case.

> I have a number of non-security comments, but will write those up later
> today or tomorrow. Wanted to send this off now. --thanks, karl.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tex-live mailing list.