[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation

Le mardi 07 juin 2005 à 05:10 +0200, Nicolas Schoonbroodt a écrit :
> So...(sorry for English)
> lot of conversation about my plugin on your mailling list.
> And also a bug report on sourceforge, related to your remark.
> My message will be not complete (because it's 4.50 am here and that I
> must be at school at 8am)
> First of all, you speak of tex2im depandency. This is not needed since
> version 0.3. Now I make the next system calls :
> (yep, it's not a good way, for example if /tmp doesn't exist for example)
> FILE_SOMETHING represent /tmp/gaimTeX.something
> chdir("/tmp")
> system("latex -interaction=nonstopmode " FILE_TEX)
> system("dvips -o" FILE_PS " -E " FILE_DVI)
> system("convert " FILE_PS " " FILE_PNG)
> and finaly a I do a
> system("rm -rf /tmp/GaimTeX.*") somewhere
> If you can tell me where you find the tex2im depandancy (README,
> INSTALL, ...) It can help me for remove it in the next version.
> Now, about the security problem...
> Yes, I know it's possible to have some problems with latex call. But If
> someone send
> $$\input{/etc/passwd}$$
> he will see (at best) the local /etc/passwd file, and the receiver, the
> local /etc/passwd. So not the same.
> And in reality, he well see nothing. One of the (the principal?) author
> of kopeteTeX (which is compatible, for respond to one of the first
> question)(the develloper is Olivier Goffart) as given me an advice, that
> was to blacklist some command.
> I have blacklisted the same command than kopetetex, that is :
> > #define NB_BLACKLIST (42)
> > #define BLACKLIST {"\\def","\\let","\\futurelet","\\newcommand","\\renewcomment","\\else","\\fi","\\write","\\input","\\include","\\chardef","\\catcode","\\makeatletter","\\noexpand","\\toksdef","\\every","\\errhelp","\\errorstopmode","\\scrollmode","\\nonstopmode","\\batchmode","\\read","\\csname","\\newhelp","\\relax","\\afterground","\\afterassignment","\\expandafter","\\noexpand","\\special","\\command","\\loop","\\repeat","\\toks","\\output","\\line","\\mathcode","\\name","\\item","\\section","\\mbox","\\DeclareRobustCommand"}
> So (in normal case) all of this command will not be "authorised"
> (in fact, if you send a message like :
> normal text \input in normal text $$equation$$ normal text $$equation $$
> (or with the blacklisted command in the $$equation part$$) the message
> _will not_ be transform using latex compiler. (with the is_blacklisted
> function)
> If some other command have to be blacklisted, I hear you.
> If you have any suggestion with security problem (for example error in
> my code, or latex hack to "eviter" (french word, don't know in English)
> this security), you can continue the discussion here, I will read it.
> Also other bug can be posted on sourceforge, for example.
> Nicolas Schoonbroodt

Considering Nicolas Schoonbroodt (upstream author) 's mail,
do you think I can package it and ask for someone to upload it (on
mentors of course) ? Or do you think there is still security problem in
his software ?
I've read the sources, there is, as Nicolas said, a blacklist of command
that can't be use.
I send him a bug because there's a typo (\\renewcomment instead of \

Thank you all for your comments, I'll be more aware next time of
eventually security problems.

Martin Braure de Calignon
"Active member of Amaya fan club, and of her tatoo"

Reply to: