On Wed, Mar 24, 2010 at 10:43 AM, Conrad Irwin
<conrad.ir...@googlemail.com> wrote:
> Yes, \openout, \write, \closeout, \openin, \read, \closein. The infamous
> one is \write18, 18 is a special file descriptor that just executes
> shell commands, you can also use \openin={|<shell command>}.
>
> People have noticed this problem, so some distributions disable \write18
> (and opening with |), and also configure it such that files can only be
> read and written within the current directory or subdirectories. This
> is, to my knowledge, not by-passable.As long as the worst that could happen on a large majority of installations is DoS, I don't think we should be afraid to rewrite the code just because *maybe* it would be less secure. We should obviously check over the new code carefully, but I wouldn't say it's any more security-critical than random pieces of MediaWiki -- which are typically vulnerable to XSS if someone forgets to escape something. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
