Tomasz Wegrzanowski wrote:
Toby Bartels wrote:
>Then DoS PlanetMath or arXiv and see how well you
do.
>I mean, state specifically, if it is possible, what you would do.
>You never explained this the last time we had this conversation,
>to me or anybody else.
I mean, something like this:
<rend class="math">
\renewcommand{\a}{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
\renewcommand{\b}{\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a}
\renewcommand{\c}{\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b}
\renewcommand{\d}{\c\c\c\c\c\c\c\c\c\c}
\d
</rend>
Then,
http://69.44.153.14/wikitex.php stops rendering
if I make the input much bigger. Is it on so purpose or does it have
real performance problems even with such a short piece of TeX ?
My local TeX installation has no problem with this,
but if I go on to use \newcommand{\e} and make one more step,
then it stops with this error:
! TeX capacity exceeded, sorry [main memory size=1000001].
Naturally, TeX is designed this way on purpose!
This is /why/ it does not overload the server,
because it has artificially limited memory capacity.
By messing with our local TeX installation,
we can set this limiting capacity to whatever we want,
in order to ensure that TeX uses up only so much of our computing power.
You can't use such tricks with texvc or Wiki
parser.
It's not much of a trick. It's certainly not a DoS attack;
all that happens is that TeX stops running and the input is not rendered.
This is basically the same thing that happens when texvc gets
<math> \SomeCommandThatDoesNotExist </math>; the program exits with an error.
Now, maybe wikitex doesn't handle this error properly!
If wikitex crashes the server (to speak in hyperbole)
when it gets an input that it can't properly compile,
then that is bad. But if it instead prints
"! TeX capacity exceeded, sorry [main memory size=1000001].",
then it handles errors about as well as texvc does.
(In fact, the prototype at <http://69.44.153.14/wikitex.php>
prints nothing at all, which is a user-friendliness problem,
but hardly a security flaw.)
>None of the many modules for TeX is capable of
introducing new I/O commands.
>So you check each relevant module for its use of these commands.
Are you willing to check every module in TeX distro
that it doesn't use
I/O commands in a way that could be abused by a cracker ?
Or is there maybe some version of TeX that simple doesn't contain
any dangerous commands ? That would really be much nicer.
First, we don't have to check every module in any TeX distribution;
we only have to check those modules that we choose to allow.
If we don't have the module installed, then they can't use it!
By itself, TeX has a few file I/O commands like \input and \write ;
no module has file I/O commands that don't work by calling these.
LaTeX has had a great deal of tasting, and its commands should be trusted,
so this gives us several additional file I/O commands to look for.
Yet most modules never use any of these! We can refuse to install those
that use file I/O commands that we haven't checked thoroughly.
Peter should assure us that he has gone through, say, the chess module
and checked that it doesn't use any file I/O commands other than, say,
\wlog (which writes to the log and cannot access any other file).
Otherwise I would not trust the module in question.
Of course, I'm paranoid. Probably nobody would care
enough to look for a hole,
no matter how big it was. But I'd feel much better if there were a few lines
of Perl somewhere, implementing security whitelist, even without
any correctness validation.
Actually, I think that this is a perfectly reasonable security doublecheck.
I don't think that we have any need for the kind of TeX programming
that defines new commands; if we disable \renewcommand as well as \input ,
then I don't think that anything that Axel or I want to do with TeX is lost.
If this changes later on, then we can revisit the issue when that happens,
because in the end, I don't think that it is really necessary;
but until then, it should be reasonable to satisfy you in this way.
Do you see any problem with this, Peter? What if Tomasz submits a patch
that does this?
BTW to Peter:
I see that <rend class="math"> simply puts us inside LaTeX.
I think that it ought to put us directly inside the {equation*} environment.
Users don't want to have to type \begin{equation*} and \end{equation*}.
-- Toby