On 03/24/2010 02:00 PM, Aryeh Gregor wrote:
On Tue, Mar 23, 2010 at 6:28 PM, Conrad Irwin conrad.irwin@googlemail.com wrote:
Many LaTeX installations can be made read/write/execute anything by default.
What does that mean? LaTeX can invoke external programs? Using what commands? Is this functionality actually enabled in practice in stock LaTeX installs?
Yes, \openout, \write, \closeout, \openin, \read, \closein. The infamous one is \write18, 18 is a special file descriptor that just executes shell commands, you can also use \openin={|<shell command>}.
People have noticed this problem, so some distributions disable \write18 (and opening with |), and also configure it such that files can only be read and written within the current directory or subdirectories. This is, to my knowledge, not by-passable.
There's also a (more recent) mode called "restricted write18", used by more user-friendly distributions, this allows some commands (such as bibtex or tex) to be used with write18 and |. Sadly, as arguments passed to the commands are not validated (though they are shell escaped), it is possible to break out of the sandbox.
Even if it were not possible to break out of restricted write18, there will exist installations with write18 enabled, and I can't imagine people remembering to check. Depending on the flavour of LaTeX in use it is often possible to pass -no-shell-escape or --disable-write18 on the command line, we should probably do that, unless unknown flags cause errors, I'm not sure.
Conrad