[dev-context] TeX on contextgarden disabled - \installprogram security

Mojca Miklavec mojca.miklavec.lists at gmail.com
Thu Mar 29 01:03:21 CEST 2007


On 3/29/07, Hans Hagen wrote:
> Patrick Gundlach wrote:
> > Hi,
> >
> > I've just found out about \installprogram, that lets you run any
> > command from TeX, bypassing the shellescape, openout and openin
> > setting. This means that I have a serious security problem on
> > contextgarden and therefore I have disabled all TeX typesetting.
> >
> > Any advise on how to disable this?
> >
> you can patch texutil.rb
>
>             def MyExtras::finalizer(logger)
> unless (ENV["CTX.TEXUTIL.EXTRAS"] =~ /^(no|off|false|0)$/io) ||
> (ENV["CTX_TEXUTIL_EXTRAS"] =~ /^(no|off|false|0)$/io) then
>                     @@programs.each do |p|
>                         cmd = @@programs[p.to_i]
>                         logger.report("running #{cmd}")
>                         system(cmd)
> end
>                 end
>             end
>
>
> and set
>
> CTX_TEXUTIL_EXTRAS=off
>
> (in mkiv i have a more clever method, there we  can register nice programs)

What about some extra safety --switch? (Otherwise we need to patch
every time a new version is installed - I can place a regular
expression to replace that part, but I guess that other people might
need that as well.)

Mojca


More information about the dev-context mailing list