Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Le mardi 07 juin 2005 à 05:10 +0200, Nicolas Schoonbroodt a écrit :
> So...(sorry for English)
> lot of conversation about my plugin on your mailling list.
>
> And also a bug report on sourceforge, related to your remark.
> My message will be not complete (because it's 4.50 am here and that I
> must be at school at 8am)
>
> First of all, you speak of tex2im depandency. This is not needed since
> version 0.3. Now I make the next system calls :
> (yep, it's not a good way, for example if /tmp doesn't exist for example)
> FILE_SOMETHING represent /tmp/gaimTeX.something
>
> chdir("/tmp")
> system("latex -interaction=nonstopmode " FILE_TEX)
> system("dvips -o" FILE_PS " -E " FILE_DVI)
> system("convert " FILE_PS " " FILE_PNG)
>
> and finaly a I do a
> system("rm -rf /tmp/GaimTeX.*") somewhere
>
> If you can tell me where you find the tex2im depandancy (README,
> INSTALL, ...) It can help me for remove it in the next version.
>
> Now, about the security problem...
>
> Yes, I know it's possible to have some problems with latex call. But If
> someone send
> $$\input{/etc/passwd}$$
> he will see (at best) the local /etc/passwd file, and the receiver, the
> local /etc/passwd. So not the same.
>
> And in reality, he well see nothing. One of the (the principal?) author
> of kopeteTeX (which is compatible, for respond to one of the first
> question)(the develloper is Olivier Goffart) as given me an advice, that
> was to blacklist some command.
>
> I have blacklisted the same command than kopetetex, that is :
> > #define NB_BLACKLIST (42)
> > #define BLACKLIST {"\\def","\\let","\\futurelet","\\newcommand","\\renewcomment","\\else","\\fi","\\write","\\input","\\include","\\chardef","\\catcode","\\makeatletter","\\noexpand","\\toksdef","\\every","\\errhelp","\\errorstopmode","\\scrollmode","\\nonstopmode","\\batchmode","\\read","\\csname","\\newhelp","\\relax","\\afterground","\\afterassignment","\\expandafter","\\noexpand","\\special","\\command","\\loop","\\repeat","\\toks","\\output","\\line","\\mathcode","\\name","\\item","\\section","\\mbox","\\DeclareRobustCommand"}
>
> So (in normal case) all of this command will not be "authorised"
> (in fact, if you send a message like :
> normal text \input in normal text $$equation$$ normal text $$equation $$
> (or with the blacklisted command in the $$equation part$$) the message
> _will not_ be transform using latex compiler. (with the is_blacklisted
> function)
>
> If some other command have to be blacklisted, I hear you.
>
> If you have any suggestion with security problem (for example error in
> my code, or latex hack to "eviter" (french word, don't know in English)
> this security), you can continue the discussion here, I will read it.
>
> Also other bug can be posted on sourceforge, for example.
>
> Nicolas Schoonbroodt
Considering Nicolas Schoonbroodt (upstream author) 's mail,
do you think I can package it and ask for someone to upload it (on
mentors of course) ? Or do you think there is still security problem in
his software ?
I've read the sources, there is, as Nicolas said, a blacklist of command
that can't be use.
I send him a bug because there's a typo (\\renewcomment instead of \
\renewcommand).
Thank you all for your comments, I'll be more aware next time of
eventually security problems.
--
Martin Braure de Calignon
(error3)
"Active member of Amaya fan club, and of her tatoo"
Reply to: