LISTSERV - LATEX-L Archives - LISTSERV.UNI-HEIDELBERG.DE

Hi Joseph

Thank you for your prompt response. You wrote

> Once one allows unrestricted shell escape, all bets are off in terms of
what
> an arbitrary package can do.

Your implication is that "restricted shell escape" both

   1. reduces what an arbitrary package can do
   2. improves security

Please provide some evidence for (1), by for example providing references
to the source code and tests.

For (2), this also needs to be argued. Suppose software item AAA-SECURE is
not, in fact, secure. Then AAA-SECURE is already a security risk, because
its name allows a social engineering exploit, which perhaps can then be
leveraged.

By the way, the usual meaning of "restricted shell escape" is as in
https://en.wikipedia.org/wiki/Restricted_shell. This page tell us: The
restricted shell is not secure.

The TeX/LaTeX community has a different meaning for "restricted shell
escape". As you are using the term in this new way, please would you
provide a definition.

Please also would you discuss:
http://tex-live.tug.narkive.com/1iD2CkdT/security-issues-for-restricted-shell-escape
.

with best regards

Jonathan