Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation

To: debian-devel@lists.debian.org
Subject: Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
From: Bill Allombert <ballombe@master.debian.org>
Date: Tue, 7 Jun 2005 11:25:01 -0500
Message-id: <[🔎] 20050607162501.GA11953@master.debian.org>
Mail-followup-to: Bill Allombert <ballombe@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 1118157581.10958.3.camel@localhost>
References: <[🔎] 42A5103D.5070604@ffsa.be> <[🔎] 1118157581.10958.3.camel@localhost>

On Tue, Jun 07, 2005 at 05:19:40PM +0200, Martin Braure de Calignon wrote:
> > I have blacklisted the same command than kopetetex, that is :
> > > #define NB_BLACKLIST (42)
> > > #define BLACKLIST {"\\def","\\let","\\futurelet","\\newcommand","\\renewcomment","\\else","\\fi","\\write","\\input","\\include","\\chardef","\\catcode","\\makeatletter","\\noexpand","\\toksdef","\\every","\\errhelp","\\errorstopmode","\\scrollmode","\\nonstopmode","\\batchmode","\\read","\\csname","\\newhelp","\\relax","\\afterground","\\afterassignment","\\expandafter","\\noexpand","\\special","\\command","\\loop","\\repeat","\\toks","\\output","\\line","\\mathcode","\\name","\\item","\\section","\\mbox","\\DeclareRobustCommand"}
> > 
> > So (in normal case) all of this command will not be "authorised"
> > (in fact, if you send a message like :
> > normal text \input in normal text $$equation$$ normal text $$equation $$
> > (or with the blacklisted command in the $$equation part$$) the message
> > _will not_ be transform using latex compiler. (with the is_blacklisted
> > function)
> > 
> > If some other command have to be blacklisted, I hear you.
> 
> Considering Nicolas Schoonbroodt (upstream author) 's mail,
> do you think I can package it and ask for someone to upload it (on
> mentors of course) ? Or do you think there is still security problem in
> his software ?
> I've read the sources, there is, as Nicolas said, a blacklist of command
> that can't be use.
> I send him a bug because there's a typo (\\renewcomment instead of \
> \renewcommand).

When I spoke of security nightmare, this was exactly what I had in mind.
You will never find a blacklist of command that prevent abuse, and the
current certainly does not. For example \usepackage and \documentclass
are not blacklisted so the attacker can load add-on packages that can
add potentially dangerous commands.  

I could not make sense of the criterium used for blacklisting,
e.g. why blacklisting \mbox ? Why blacklisting \section but not
\subsection ? why blacklisting \newcommand but not \newenvironment ?

You can try the whitelist approach, but LaTeX was not written with this
security requirement in mind so this is still potentially unsafe.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

Reply to:

Follow-Ups:
- Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
  - From: Nicolas Schoonbroodt <nicolas@ffsa.be>

References:
- Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
  - From: Nicolas Schoonbroodt <nicolas@ffsa.be>
- Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
  - From: Martin Braure de Calignon <braurede@free.fr>

Prev by Date: Re: Is Ubuntu a debian derivative or is it a fork?
Next by Date: Re: And now for something completely different... etch!
Previous by thread: Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Next by thread: Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
Index(es):
- Date
- Thread