General

eugene8086 · Post by **eugene8086** » Fri Aug 05, 2016 9:16 am

I`m creating the rendering images (with a formulas) script for the web site, which is based on texlive. I have found that there is a security vulnerability.

For example, using the commands \include \input \openin \read \openout \write a user can embed in the document that is processed on the server and open, read, write a files.

There is also a risk insert commands that cause an infinite loop, for example \loop \while.

How to anticipate all the dangers? For example, there is a form of use \@input. What other operators are dangerous? Where can I find documentation for a complete list of commands, working with files, inserting executable code into the tex document? I want to write the full black list and filter them.

(Sorry for my bad English)

NEW: TikZ book now 40% off at Amazon.com for a short time.

Post by **Stefan Kottwitz** » Sat Jun 23, 2018 4:08 pm

A blacklist is already good, plus disabling write18 / shell-escape.

You could use a docker container, that contains a TeX installation, with compilation done by a non-root user. With docker, at compiling time an operating system image is created, used, and destroyed afterwards. Each compilation uses a new container. That's another level of protection. That's a way cloud services work for thousands of users at the same time: each user and each LaTeX run has its own container created, used, and removed. The provider maintains a container with a Linux image and TeX live on it.

Stefan

nlct · Post by **nlct** » Tue Jul 24, 2018 6:02 pm

There are also some TeX Live security settings in texmf.cnf regarding I/O. You can use kpsewhich -a texmf.cnf to find the file. Input (\input or \openin) is governed by openin_any and output (\openout) is governed by openout_any. The most secure setting is p (paranoid)

Code: Select all

1
2
openin_any = p
openout_any = p
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

This disallows opening dot files, forbids going to parent directories, and only allows absolute paths that are under $TEXMFOUTPUT (for writing). This will only allow files within the current directory (or sub-directories thereof), so the user won't be able to input arbitrary files outside of it. (Class files and packages in the TEXMF tree can still be input.)

An infinite loop can also be triggered with a simple recursive definition. For example:

Code: Select all

1
\def\foo{\foo}\foo
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The only way effective way, that I can think of, to guard against that is to have a timeout on the process that runs TeX/LaTeX.

Regards
Nicola Talbot

LaTeX.org

General ⇒ Hacking with LaTeX! How to protect?

Hacking with LaTeX! How to protect?

Hacking with LaTeX! How to protect?

Hacking with LaTeX! How to protect?