On 24/08/2018 18:10, Jonathan Fine wrote:
> Hi Joseph
> Thank you for your email on l3sys-shell. You wrote:
> There are two broad questions we have. First, how do people feel about
>> these concepts? We can see that there may be some security concerns, hence
>> not adding directly to the expl3 core. However, as one has to be running
>> with unrestricted shell escape anyway, we are not sure if providing macro
>> wrappers makes these worse:
> I'm not a security expert. Are you, Joseph? In any case, I've asked your
> question on stack exchange, and put a code review comment on github. Here's
> the URLs
> I hope you'll get a useful response from a security expert.
> best regards
Once one allows unrestricted shell escape, all bets are off in terms of
what an arbitrary package can do. However, there are legitimate uses for
file operations: see e.g. pstool. (Other packages use non-restricted
escape, for example minted to run pygmentize.)
Thus the question is whether on balance it seems better to say 'each
package that wants to do such operations should write them out itself'
or 'we will provide an abstraction'. Clearly, the latter could be seen
as 'easier' for a malicious actor to use. On the other hand, writing
platform-neutral abstractions for e.g. "remove all files" is actually
not that difficult. So the barrier is low.
At present, we've put the operations in a separate file specifically so
they have to be loaded explicitly. However, one can see that they may be
loaded by a third-party package, e.g. pstool could be altered to do
this. They'd then be 'hidden' to some extent.
It's important to emphasise that with a normal TeX Live or MiKTeX set
up, these macros will not do anything as *they are restricted by the
engine settings*. As such, there is already a 'user opt-in'.