On Mon, Jun 06, 2005 at 02:14:51PM -0400, Anthony DeRobertis wrote:
> Martin Braure de Calignon wrote:
>
> > Quoting tex2im code:
> > ############
> > (...)
> > latex -interaction=batchmode out.tex > /dev/null
> > cd "$homedir"
> > dvips -o $tmpdir/out.eps -E $tmpdir/out.dvi 2> /dev/null
> > (...)
> > convert +adjoin -antialias -transparent $color1 -density $resolution
> > $tmpdir/out.eps $tmpdir/out.$format
> > (...)
> > #########
> > So they directly use latex.
>
> This looks like a Bad Idea(tm):
>
> anthony@bohr:latex-test$ cat out.tex
> \documentclass{letter}
> \begin{document}
> \input{/etc/passwd}
> \end{document}
>
> $ latex -interaction=batchmode out.tex > /dev/null
> $ dvips -o out.eps -E out.dvi 2> /dev/null
> $ convert +adjoin -antialias out.eps out.png
> $ see out.png
>
> And yes, the contents of /etc/passwd pop up on screen. Given this isn't
> too big a deal, but TeX can write files too, and would have permission
> to change any file the user does.
>
At some point, you do need to execute something on your machine, else
you may as well unplug it and find something else to do. I understand
what you are saying, but we can't put everyone in a small padded room.
Based on your assessment, we would have cause to seek the removal of
latex, vi, emacs, cat and less.
-Roberto
--
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr
Attachment:
pgpg2YnnFPKBH.pgp
Description: PGP signature