Peter, really impressed by your LaTeX features. I am (unfortunately) still
user of LaTex and dont actually know how to implement macros. Therefore I
just want to inform you about a macro for chemical structure formulas which
can be found (inside the famous article by Haas/Kane) at:
http://math-cs.cns.uni.edu/~okane/cgi-bin/newpres/papers/tex/ I hope this
helps a little bit to make WP step by step the one and only invincable
encyclopedia (more as it is already, great compliments to all the
programmers - hope to join soon...).
Cheers, Mark
-----Ursprungliche Nachricht-----
Von: wikitech-l-bounces(a)Wikipedia.org
[mailto:wikitech-l-bounces@Wikipedia.org]Im Auftrag von Tomasz
Wegrzanowski
Gesendet: Mittwoch, 10. Dezember 2003 18:14
An: Wikimedia developers
Betreff: Re: [Wikitech-l] WikiTeX
On Wed, Dec 10, 2003 at 05:37:42PM -0100, Peter Danenberg wrote:
Do you do
anything about security ?
That was in particular what I wanted you to take a look at, Tomasz.
The templates exposed by the classes are limited; shell access is
disabled (LaTeX); Python is running in safe (Lilypond); but I'm going
to have to deal with \include elements, etc. ad hoc. And ad hoc runs
contrary to texvc's methodology.
I'd be especially interested if we could crack it in its present form,
however; or prove some crack concepts.
What about this:
<rend class="math">
\input /etc/passwd
</rend>
\input-ting most stuff doesn't work, probably because of
TeX-special characters in them, but there are the catcode tricks
to go around this problem. I think that knowing structure
of the server, or just guessing hard enough, it would be possible
to get all files owned by apache, including those that contain passwords
to the database. It's also quite likely that there are some ways
to takeover the LaTeX process somehow.
If all these efforts fail, there's still good ol' DOS attack.
It should be quite easy to create input that require exponential
effort from TeX, and use a couple of them to destroy the server.
The moral: in the end you'll need a whitelist of allowed commands.
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)Wikipedia.org
http://mail.wikipedia.org/mailman/listinfo/wikitech-l