[dev-context] TeX on contextgarden disabled - \installprogram security

Hans Hagen pragma at wxs.nl
Thu Mar 29 00:56:35 CEST 2007


Patrick Gundlach wrote:
> Hi,
>
> I've just found out about \installprogram, that lets you run any
> command from TeX, bypassing the shellescape, openout and openin
> setting. This means that I have a serious security problem on
> contextgarden and therefore I have disabled all TeX typesetting.
>
> Any advise on how to disable this?
>   
you can patch texutil.rb

            def MyExtras::finalizer(logger)
unless (ENV["CTX.TEXUTIL.EXTRAS"] =~ /^(no|off|false|0)$/io) || 
(ENV["CTX_TEXUTIL_EXTRAS"] =~ /^(no|off|false|0)$/io) then
                    @@programs.each do |p|
                        cmd = @@programs[p.to_i]
                        logger.report("running #{cmd}")
                        system(cmd)
end
                end
            end


and set

CTX_TEXUTIL_EXTRAS=off

(in mkiv i have a more clever method, there we  can register nice programs)

> Patrick
>   


-- 

-----------------------------------------------------------------
                                          Hans Hagen | PRAGMA ADE
              Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
     tel: 038 477 53 69 | fax: 038 477 53 74 | www.pragma-ade.com
                                             | www.pragma-pod.nl
-----------------------------------------------------------------



More information about the dev-context mailing list