System queries with Lua: l3sys-query
Nicola Talbot
lists at dickimaw-books.com
Sat Mar 9 12:06:28 CET 2024
On 08/03/2024 00:07, David Carlisle wrote:> as far as I can see
texosquery can't list the current directory if
> openin_any is p
> as it won't accept . that is more restrictive than \input which lets you
> always \input ./foo.tex
> . isn't a "dotfile" in that sense.
It's not the dot that's the problem if you try a directory listing of
"." with openin_any=p with texosquery. Paths are converted to their
canonical form before determining whether access is allowed (which is
why the symlink in the previous example was skipped). Even if you
substitute "." with the full path, texosquery won't allow a directory
listing of the current directory.
$ kpsewhich --var-value=openin_any
p
$ cd
$ mkdir tmp
$ cd tmp
$ touch foo
$ ls -a
. .. foo
$ texosquery-jre8 -i , .
$ texosquery-jre8 -i , /home/nlct/tmp
$ texosquery-jre8 -p /home/nlct/tmp
$ texosquery -p ./foo
\fslh home\fslh nlct\fslh tmp\fslh foo
The reason is that texosquery doesn't consider the current directory to
be within the current directory. However, texosquery is more restrictive
than TeX in that it doesn't allow a special case for ".tex". I can't see
any reason for querying file information about that, and it seems a bit
of a trapdoor to allow it in the current directory where it may be
unnoticed.
My view is that if a user has gone out of their way to set openin_any to
the paranoid setting, then they probably have a paranoid view about
their safety, in which case they might not want the restricted mode to
be able to find all their files.
You may remember that I demonstrated two malicious packages that if
simply loaded in the document with \usepackage they would trash all
document source files (within the limit of openout_any). Allowing a full
listing of all files in the current directory would extend that scope to
trashing all files (with write access) in the current directory. Those
packages were a proof of concept (one used the shell escape in
restricted mode, the other used TeX's native I/O with the shell escape
disabled). I'm not aware of any malicious packages that are publicly
available, but that doesn't mean they won't occur (which is surely the
reason for TeX's security settings).
Regards
Nicola
More information about the tex-live
mailing list.