[Pmwiki-users] Re: LinuxTex Security
chr@home.se
chr
Thu Jan 20 14:06:25 CST 2005
On Thu, 9 Dec 2004, Patrick R. Michaud wrote:
> On Thu, Dec 09, 2004 at 01:31:26PM +0100, Nils Knappmeier wrote:
> > the comments in the linuxtex-cookbook-recipe say, that it is not very safe.
> > To be specific, it is very easy to read any file on the server by just
> > using something like
> >
> > {$ 1 $ \input{/etc/passwd} $ 2 $}
> >
> > I don't know how to remove this vulnerablity completely. (Just
> > filtering \input) might not be enough, since it might be hidden in other
> > commands as well.
>
> Yeah, I don't think there's a reliable way to do it through input
> filtering. The better bet would be to see if there's a way to get
> TeX to run in a restricted mode.
>
> All of this reminds me that I need to restore the MimeTeX functionality
> for version 2, and update it to use the improvements that John Forkosh
> has added since the original (some of the improvements are based on
> things we did in PmWiki!). I'll put that on my to-do list.
Which reminds me (I just saw your answer...), I got the following
regarding the LyX site:
> Don't misunderstand me, I appreciate the effort you put into the wiki
> very much, and I would like to have the possibility of math expressions,
> but IMHO mimetex is too insecure.
>
> Did you have a look at the wikipedia solution at
> http://en.wikipedia.org/wiki/Texvc ? This is a better solution IMHO,
> because it is run on more sites and was designed with security in mind.
> Although I do not know OCAML, the source code does look better to me. I
> guess that it would not be too hard to integrate it into pmwiki. Plus,
> the output looks better;-)
So maybe 'Texvc' is a good solution? It runs in a secure latex mode I
think (or filters thing for sending to latex).
I may have some more info. about this if you're interested.
/Christian
--
Christian Ridderstr?m, +46-8-768 39 44 http://www.md.kth.se/~chr
More information about the pmwiki-users
mailing list