diff options
| author | Josh Triplett <josh@joshtriplett.org> | 2009-08-28 23:07:27 -0700 |
|---|---|---|
| committer | Josh Triplett <josh@joshtriplett.org> | 2009-08-28 23:18:07 -0700 |
| commit | 9f75d3b1f3c43820cff9ce554601f64c60d72b14 (patch) | |
| tree | 0b8907816f99d63ac9579c9a56ad05bd1beb1abc /IkiWiki | |
| parent | 03449610d6c666ba24bea68f01d896613e522278 (diff) | |
| download | ikiwiki-9f75d3b1f3c43820cff9ce554601f64c60d72b14.tar ikiwiki-9f75d3b1f3c43820cff9ce554601f64c60d72b14.tar.gz | |
teximg: Make TeX handle preventing unsafe things; remove insufficient blacklist
TeX has configuration options that prevent unsafe things like shell
escapes and insecure file reads/writes. Turn all of them on.
teximg's regex-based blacklist does not suffice. For instance:
[[!teximg code="""
\catcode`\%=0
%input{/etc/passwd}
"""]]
Remove the blacklist, since the TeX configuration options seal off the
underlying mechanisms more safely, and the blacklist blocks other TeX
commands that can prove useful.
Diffstat (limited to 'IkiWiki')
| -rw-r--r-- | IkiWiki/Plugin/teximg.pm | 40 |
1 files changed, 2 insertions, 38 deletions
diff --git a/IkiWiki/Plugin/teximg.pm b/IkiWiki/Plugin/teximg.pm index dba5372b5..f92ed0132 100644 --- a/IkiWiki/Plugin/teximg.pm +++ b/IkiWiki/Plugin/teximg.pm @@ -69,13 +69,7 @@ sub preprocess (@) { if (! defined $code && ! length $code) { error gettext("missing tex code"); } - - if (check($code)) { - return create($code, check_height($height), \%params); - } - else { - error gettext("code includes disallowed latex commands") - } + return create($code, check_height($height), \%params); } sub check_height ($) { @@ -155,7 +149,7 @@ sub gen_image ($$$$) { my $tmp = eval { create_tmp_dir($digest) }; if (! $@ && writefile("$digest.tex", $tmp, $tex) && - system("cd $tmp; latex --interaction=nonstopmode $tmp/$digest.tex > /dev/null") == 0 && + system("cd $tmp; shell_escape=f openout_any=p openin_any=p latex --interaction=nonstopmode $digest.tex < /dev/null > /dev/null") == 0 && # ensure destination directory exists writefile("$imagedir/$digest.png", $config{destdir}, "") && (($config{teximg_dvipng} && @@ -191,34 +185,4 @@ sub create_tmp_dir ($) { return $tmpdir; } -sub check ($) { - # Check if the code is ok - my $code = shift; - - my @badthings = ( - qr/\$\$/, - qr/\\include/, - qr/\\includegraphic/, - qr/\\usepackage/, - qr/\\newcommand/, - qr/\\renewcommand/, - qr/\\def/, - qr/\\input/, - qr/\\open/, - qr/\\loop/, - qr/\\errorstopmode/, - qr/\\scrollmode/, - qr/\\batchmode/, - qr/\\read/, - qr/\\write/, - ); - - foreach my $thing (@badthings) { - if ($code =~ m/$thing/ ) { - return 0; - } - } - return 1; -} - 1 |