emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC] MIME attachments for comint

From: Gregory Heytings
Subject: Re: [RFC] MIME attachments for comint
Date: Thu, 30 Sep 2021 08:49:22 +0000 


But TeX markup could in principle execute arbitrary code.


I'm surprised and worried.  Can you show how that can happen?
You probably know that TeX has a \write18{} command with which it is possible to execute shell commands. The behavior of that command is (in TeX Live) controlled by the shell_escape and shell_escape_commands configuration variables in texmf.cnf. Their default values are: 

shell_escape = p
which means that shell commands are allowed "partially", that is, that the only allowed commands are those that are listed in shell_escape_commands: 

shell_escape_commands = 
bibtex,bibtex8,extractbb,gregorio,kpsewhich,makeindex,repstopdf,r-mpost,texosquery-jre8

But this restriction is easy to circumvent:

echo ls > bibtex
chmod +x bibtex
export PATH=.:$PATH
echo '\write18{bibtex}\bye' > test.tex
pdftex test.tex
In practice, this is not really a problem, because it requires to either change one of the programs listed in shell_escape_commands, or to change the PATH environment variable. But it's fragile nonetheless.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]