[Pmwiki-users] Re: LinuxTex Security

[chr@home.se]

On Thu, 9 Dec 2004, Patrick R. Michaud wrote:

> On Thu, Dec 09, 2004 at 01:31:26PM +0100, Nils Knappmeier wrote:
> > the comments in the linuxtex-cookbook-recipe say, that it is not very safe.
> > To be specific, it is very easy to read any file on the server by just 
> > using something like
> > 
> > {$ 1 $ \input{/etc/passwd} $ 2  $}
> > 
> > I  don't know how to remove this vulnerablity completely. (Just 
> > filtering \input) might not be enough, since it might be hidden in other 
> > commands as well.
> 
> Yeah, I don't think there's a reliable way to do it through input
> filtering.  The better bet would be to see if there's a way to get
> TeX to run in a restricted mode.
> 
> All of this reminds me that I need to restore the MimeTeX functionality
> for version 2, and update it to use the improvements that John Forkosh
> has added since the original (some of the improvements are based on
> things we did in PmWiki!).  I'll put that on my to-do list.

Which reminds me (I just saw your answer...), I got the following
regarding the LyX site:

> Don't misunderstand me, I appreciate the effort you put into the wiki
> very much, and I would like to have the possibility of math expressions,
> but IMHO mimetex is too insecure.
> 
> Did you have a look at the wikipedia solution at
> http://en.wikipedia.org/wiki/Texvc ? This is a better solution IMHO,
> because it is run on more sites and was designed with security in mind.
> Although I do not know OCAML, the source code does look better to me. I
> guess that it would not be too hard to integrate it into pmwiki. Plus,
> the output looks better;-)

So maybe 'Texvc' is a good solution? It runs in a secure latex mode I 
think (or filters thing for sending to latex).

I may have some more info. about this if you're interested.

/Christian

-- 
Christian Ridderstr?m, +46-8-768 39 44               http://www.md.kth.se/~chr