LATEX-L Archives

Mailing list for the LaTeX3 project

LATEX-L@LISTSERV.UNI-HEIDELBERG.DE
Options: Use Classic View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Topic: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Sender: Mailing list for the LaTeX3 project <[log in to unmask]>
Date: Sat, 25 Aug 2018 22:15:23 +0200
Reply-To: Mailing list for the LaTeX3 project <[log in to unmask]>
Message-ID: <[log in to unmask]>
Subject: Re: System shell functions
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
In-Reply-To: <[log in to unmask]>
Content-Type: text/plain; charset=utf-8
From: Bruno Le Floch <[log in to unmask]>
Parts/Attachments: text/plain (36 lines) 
Peter,

Let's say we have some macro that takes an argument and calls "ls #1" in
the shell.  Specifically

\makeatletter
\def \ls #1{\begingroup
  \everyeof{\noexpand}%
  \message{\@@input"|ls #1" }%
  \endgroup}

Then someone can do \ls{; rm somefile} to remove the file "somefile",
even though one may think that calling \ls is safe.

Bruno


On 08/25/2018 10:06 PM, Peter Wilson wrote:
> Jonathon,
> 
> I don't understand. Please explain it and its relevance to (La)TeX.
> 
> Peter W.
> 
> 
> On 24/08/18 22:00, Jonathan Fine wrote:
>> Hi Joseph
>>
>> Please take a look at https://xkcd.com/327. It is the famous Bobby
>> Tables story.
>>
>> Do you understand the exploit being described? This is an important
>> preliminary question for the whole conversation.
>>
>> Jonathan

ATOM RSS1 RSS2