[Pmwiki-users] Re: LinuxTex Security
Nils Knappmeier
nk at knappi.org
Tue Jan 25 15:41:43 CST 2005
chr at home.se wrote:
>On Thu, 9 Dec 2004, Patrick R. Michaud wrote:
>
>
>
>>On Thu, Dec 09, 2004 at 01:31:26PM +0100, Nils Knappmeier wrote:
>>
>>
>>>the comments in the linuxtex-cookbook-recipe say, that it is not very safe.
>>>To be specific, it is very easy to read any file on the server by just
>>>using something like
>>>
>>>{$ 1 $ \input{/etc/passwd} $ 2 $}
>>>
>>>I don't know how to remove this vulnerablity completely. (Just
>>>filtering \input) might not be enough, since it might be hidden in other
>>>commands as well.
>>>
>>>
I've done some modifications to the LinuxTex plugin, so that it
scrambles potential filenames to useless stuff. More detailed
information is on the LinuxTex-Cookbook page on:
http://www.pmichaud.com/wiki/Cookbook-V1/LinuxTex
I didn't want to overwrite the original recipe, so I named it linuxtexnk.php
Nils
>>Yeah, I don't think there's a reliable way to do it through input
>>filtering. The better bet would be to see if there's a way to get
>>TeX to run in a restricted mode.
>>
>>All of this reminds me that I need to restore the MimeTeX functionality
>>for version 2, and update it to use the improvements that John Forkosh
>>has added since the original (some of the improvements are based on
>>things we did in PmWiki!). I'll put that on my to-do list.
>>
>>
>
>Which reminds me (I just saw your answer...), I got the following
>regarding the LyX site:
>
>
>
>>Don't misunderstand me, I appreciate the effort you put into the wiki
>>very much, and I would like to have the possibility of math expressions,
>>but IMHO mimetex is too insecure.
>>
>>Did you have a look at the wikipedia solution at
>>http://en.wikipedia.org/wiki/Texvc ? This is a better solution IMHO,
>>because it is run on more sites and was designed with security in mind.
>>Although I do not know OCAML, the source code does look better to me. I
>>guess that it would not be too hard to integrate it into pmwiki. Plus,
>>the output looks better;-)
>>
>>
>
>So maybe 'Texvc' is a good solution? It runs in a secure latex mode I
>think (or filters thing for sending to latex).
>
>I may have some more info. about this if you're interested.
>
>/Christian
>
>
>
--
---------------------------------------------
home: http://www.knappi.org
icq: 11786572
The great thing about being the only species that makes
a distinction between right and wrong is that we can
make up the rules for ourselves as we go along.
Douglas Adams, Last Chance To See...
More information about the pmwiki-users
mailing list