Hi Peter: I'm wanting to get responses from security experts, not TeX experts. Ideally, we want a security expert who's also a TeX expert. But if it's one or the other, this question needs a security expert. In other words, someone who understands: > https://xkcd.com/327 - the famous Bobby Drop Tables story. Bruno: Yes, my thoughts exactly, but better expressed. Thank you. And they could do much more than just remove a file. They could, probably, execute an arbitrary command. Something that might escalate the exploit. best regards Jonathan On Sat, Aug 25, 2018 at 9:24 PM, Peter Wilson <[log in to unmask]> wrote: > Jonathon, > > You might have had more responses if you had posted to > https://tex.stackechange.com > > Peter W. > > On 24/08/18 18:10, Jonathan Fine wrote: > > Hi Joseph > > Thank you for your email on l3sys-shell. You wrote: > > There are two broad questions we have. First, how do people feel about >> these concepts? We can see that there may be some security concerns, hence >> not adding directly to the expl3 core. However, as one has to be running >> with unrestricted shell escape anyway, we are not sure if providing macro >> wrappers makes these worse: > > > I'm not a security expert. Are you, Joseph? In any case, I've asked your > question on stack exchange, and put a code review comment on github. Here's > the URLs > > - https://security.stackexchange.com/questions/ > 192249/concerns-about-latex-3-shell-escape-code > <https://security.stackexchange.com/questions/192249/concerns-about-latex-3-shell-escape-code> > - https://github.com/latex3/latex3/commit/ > 7b62e64dde239f9cb6ae0f08400c0b5ccde815d8#diff- > 09def3f98d60fce78fbcc00e77c65795R3093 > <https://github.com/latex3/latex3/commit/7b62e64dde239f9cb6ae0f08400c0b5ccde815d8#diff-09def3f98d60fce78fbcc00e77c65795R3093> > > I hope you'll get a useful response from a security expert. > > best regards > > Jonathan > > >