On Wed, 24 Sep 2008, Uwe Brauer wrote:
>>> Correct. It converts wiki (via XML, then LaTeX) to PDF. Please
>>> note that allowing plain, arbitrary LaTeX to be parsed on an open
>>> wiki is a security risk.
>>
>> why is this so, what a pity that would be ideal for collaboration.
> To which of the above parts do you refer?
The part that it is a security risk to allow, arbitrary LaTeX (I am
thinking here on amstex, or standard+amsmath, no user defined macros) to
be parsed.
(La)TeX is a programming language, so you can do a lot in it. However, you
don't need to create a large program in order to get a security issue. For
instance, you could use e.g. '\input' to show /etc/passwd and thus the
names of the account on the machine where the LaTeX is run. Or you could
show other files that the web server is supposed to only read, not show to
the world. This could for instance be the content of wiki pages, including
those that are supposedly protected by password or by .htaccess...
Basically, this is similar to letting the users run arbitrary programs (as
the web server user).
Please note that we still have the security issues when embedding a
LyX-file, simply because that file can contain arbitrary LaTeX code...
regards
/Christian
--
Christian Ridderström, +46-8-768 39 44 http://www.md.kth.se/~chr
