Le mardi 07 juin 2005 à 05:10 +0200, Nicolas Schoonbroodt a écrit : > So...(sorry for English) > lot of conversation about my plugin on your mailling list. > > And also a bug report on sourceforge, related to your remark. > My message will be not complete (because it's 4.50 am here and that I > must be at school at 8am) > > First of all, you speak of tex2im depandency. This is not needed since > version 0.3. Now I make the next system calls : > (yep, it's not a good way, for example if /tmp doesn't exist for example) > FILE_SOMETHING represent /tmp/gaimTeX.something > > chdir("/tmp") > system("latex -interaction=nonstopmode " FILE_TEX) > system("dvips -o" FILE_PS " -E " FILE_DVI) > system("convert " FILE_PS " " FILE_PNG) > > and finaly a I do a > system("rm -rf /tmp/GaimTeX.*") somewhere > > If you can tell me where you find the tex2im depandancy (README, > INSTALL, ...) It can help me for remove it in the next version. > > Now, about the security problem... > > Yes, I know it's possible to have some problems with latex call. But If > someone send > $$\input{/etc/passwd}$$ > he will see (at best) the local /etc/passwd file, and the receiver, the > local /etc/passwd. So not the same. > > And in reality, he well see nothing. One of the (the principal?) author > of kopeteTeX (which is compatible, for respond to one of the first > question)(the develloper is Olivier Goffart) as given me an advice, that > was to blacklist some command. > > I have blacklisted the same command than kopetetex, that is : > > #define NB_BLACKLIST (42) > > #define BLACKLIST > > {"\\def","\\let","\\futurelet","\\newcommand","\\renewcomment","\\else","\\fi","\\write","\\input","\\include","\\chardef","\\catcode","\\makeatletter","\\noexpand","\\toksdef","\\every","\\errhelp","\\errorstopmode","\\scrollmode","\\nonstopmode","\\batchmode","\\read","\\csname","\\newhelp","\\relax","\\afterground","\\afterassignment","\\expandafter","\\noexpand","\\special","\\command","\\loop","\\repeat","\\toks","\\output","\\line","\\mathcode","\\name","\\item","\\section","\\mbox","\\DeclareRobustCommand"} > > So (in normal case) all of this command will not be "authorised" > (in fact, if you send a message like : > normal text \input in normal text $$equation$$ normal text $$equation $$ > (or with the blacklisted command in the $$equation part$$) the message > _will not_ be transform using latex compiler. (with the is_blacklisted > function) > > If some other command have to be blacklisted, I hear you. > > If you have any suggestion with security problem (for example error in > my code, or latex hack to "eviter" (french word, don't know in English) > this security), you can continue the discussion here, I will read it. > > Also other bug can be posted on sourceforge, for example. > > Nicolas Schoonbroodt
Considering Nicolas Schoonbroodt (upstream author) 's mail, do you think I can package it and ask for someone to upload it (on mentors of course) ? Or do you think there is still security problem in his software ? I've read the sources, there is, as Nicolas said, a blacklist of command that can't be use. I send him a bug because there's a typo (\\renewcomment instead of \ \renewcommand). Thank you all for your comments, I'll be more aware next time of eventually security problems. -- Martin Braure de Calignon (error3) "Active member of Amaya fan club, and of her tatoo" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]