Aryeh Gregor wrote:
As long as the worst that could happen on a large majority of installations is DoS, I don't think we should be afraid to rewrite the code just because *maybe* it would be less secure. We should obviously check over the new code carefully, but I wouldn't say it's any more security-critical than random pieces of MediaWiki -- which are typically vulnerable to XSS if someone forgets to escape something.
Getting shell access is not a DoS or XSS. Specially for a large majority of installs where it compromises their only account. Does this mean that we shouldn't rewrite it? No. We should rewrite it, and make it more secure. We start it by having enough eyes on the code. I wouldn't be surprised if we found a vulnerability on texvc during the rewrite.
Running the LaTeX interpreter under ulimit -u 1 should be provide a quite safe default against external launches. But take into account that file writes are also a dangerous vector.