On Sun, Dec 01, 2002 at 09:22:14AM +0100, Jens Frank wrote:
One thing I would strongly propose to change:
function renderMath( $matches ) { ... $pid = popen ("./math/texvc "{$tex}"", "r"); # texvc shouldn't be in cgi-bin
This allows nasty attacks before the TeX-code is validated. Let, for example, $tex be $(find / -type f|xargs rm) Then popen starts a shell to start the program and its parameters are expanded by the shell. A lot of nasty things could be performed this way.
Workaround: a) use a bi-directional proc_open and put the $tex via stdin b) create a file with the md5-hash as filename.
Workaround (a) is currently not available in standard PHP.
PHP has standard function that escapes shell metacharacters, exactly for this purpose.
I just forgot to put it there.