On 24/08/2018 18:10, Jonathan Fine wrote: > Hi Joseph > > Thank you for your email on l3sys-shell. You wrote: > > There are two broad questions we have. First, how do people feel about >> these concepts? We can see that there may be some security concerns, hence >> not adding directly to the expl3 core. However, as one has to be running >> with unrestricted shell escape anyway, we are not sure if providing macro >> wrappers makes these worse: > > > I'm not a security expert. Are you, Joseph? In any case, I've asked your > question on stack exchange, and put a code review comment on github. Here's > the URLs > > - > https://security.stackexchange.com/questions/192249/concerns-about-latex-3-shell-escape-code > - > https://github.com/latex3/latex3/commit/7b62e64dde239f9cb6ae0f08400c0b5ccde815d8#diff-09def3f98d60fce78fbcc00e77c65795R3093 > > I hope you'll get a useful response from a security expert. > > best regards > > Jonathan > . Hello Jonathan, Once one allows unrestricted shell escape, all bets are off in terms of what an arbitrary package can do. However, there are legitimate uses for file operations: see e.g. pstool. (Other packages use non-restricted escape, for example minted to run pygmentize.) Thus the question is whether on balance it seems better to say 'each package that wants to do such operations should write them out itself' or 'we will provide an abstraction'. Clearly, the latter could be seen as 'easier' for a malicious actor to use. On the other hand, writing platform-neutral abstractions for e.g. "remove all files" is actually not that difficult. So the barrier is low. At present, we've put the operations in a separate file specifically so they have to be loaded explicitly. However, one can see that they may be loaded by a third-party package, e.g. pstool could be altered to do this. They'd then be 'hidden' to some extent. It's important to emphasise that with a normal TeX Live or MiKTeX set up, these macros will not do anything as *they are restricted by the engine settings*. As such, there is already a 'user opt-in'. Joseph