LISTSERV - LATEX-L Archives - LISTSERV.UNI-HEIDELBERG.DE

On 24/08/2018 18:10, Jonathan Fine wrote:
> Hi Joseph
> 
> Thank you for your email on l3sys-shell. You wrote:
> 
> There are two broad questions we have. First, how do people feel about
>> these concepts? We can see that there may be some security concerns, hence
>> not adding directly to the expl3 core. However, as one has to be running
>> with unrestricted shell escape anyway, we are not sure if providing macro
>> wrappers makes these worse:
> 
> 
> I'm not a security expert. Are you, Joseph? In any case, I've asked your
> question on stack exchange, and put a code review comment on github. Here's
> the URLs
> 
>     -
>     https://security.stackexchange.com/questions/192249/concerns-about-latex-3-shell-escape-code
>     -
>     https://github.com/latex3/latex3/commit/7b62e64dde239f9cb6ae0f08400c0b5ccde815d8#diff-09def3f98d60fce78fbcc00e77c65795R3093
> 
> I hope you'll get a useful response from a security expert.
> 
> best regards
> 
> Jonathan
> .

Hello Jonathan,

Once one allows unrestricted shell escape, all bets are off in terms of 
what an arbitrary package can do. However, there are legitimate uses for 
file operations: see e.g. pstool. (Other packages use non-restricted 
escape, for example minted to run pygmentize.)

Thus the question is whether on balance it seems better to say 'each 
package that wants to do such operations should write them out itself' 
or 'we will provide an abstraction'. Clearly, the latter could be seen 
as 'easier' for a malicious actor to use. On the other hand, writing 
platform-neutral abstractions for e.g. "remove all files" is actually 
not that difficult. So the barrier is low.

At present, we've put the operations in a separate file specifically so 
they have to be loaded explicitly. However, one can see that they may be 
loaded by a third-party package, e.g. pstool could be altered to do 
this. They'd then be 'hidden' to some extent.

It's important to emphasise that with a normal TeX Live or MiKTeX set 
up, these macros will not do anything as *they are restricted by the 
engine settings*. As such, there is already a 'user opt-in'.

Joseph