[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation

Le mardi 07 juin 2005 à 05:10 +0200, Nicolas Schoonbroodt a écrit :

MMmmm these are good news :-),
> If you can tell me where you find the tex2im depandancy (README,
> INSTALL, ...) It can help me for remove it in the next version.
Well, I've just looked into your files.
I can now said that I've made a mistake. You're plugin seems to doesn't
use tex2im now.
But I know what makes me missunderstand :
in README file :
"README:This is a plugin for Gaim [1] that allows you to display LaTeX
[2] output into your IMs. This plugin needs the tex2im tool [3]."

> Now, about the security problem...
> I have blacklisted the same command than kopetetex, that is :
> > #define NB_BLACKLIST (42)
> > #define BLACKLIST {"\\def","\\let","\\futurelet","\\newcommand","\\renewcomment","\\else","\\fi","\\write","\\input","\\include","\\chardef","\\catcode","\\makeatletter","\\noexpand","\\toksdef","\\every","\\errhelp","\\errorstopmode","\\scrollmode","\\nonstopmode","\\batchmode","\\read","\\csname","\\newhelp","\\relax","\\afterground","\\afterassignment","\\expandafter","\\noexpand","\\special","\\command","\\loop","\\repeat","\\toks","\\output","\\line","\\mathcode","\\name","\\item","\\section","\\mbox","\\DeclareRobustCommand"}
Great :-)
Why not define a WHITELIST instead of a BLACKLIST ? isn't it more
secured ?
> So (in normal case) all of this command will not be "authorised"
> (in fact, if you send a message like :
> normal text \input in normal text $$equation$$ normal text $$equation $$
> (or with the blacklisted command in the $$equation part$$) the message
> _will not_ be transform using latex compiler. (with the is_blacklisted
> function)
Ok thanks
> If some other command have to be blacklisted, I hear you.

Well, I don't know LaTeX enough to gives you more commands (if there's
> If you have any suggestion with security problem (for example error in
> my code, or latex hack to "eviter" (french word, don't know in English)
avoid no ? ;-) but I'm french too so it's not a problem for me to
> this security), you can continue the discussion here, I will read it.
> Also other bug can be posted on sourceforge, for example.
Ok, I think we can know close my bug report on sourceforge no ?

> Nicolas Schoonbroodt
Thank you very much for your help,
I hope I will be able to package it in Debian

Martin Braure de Calignon

Reply to: