Salve,
I've recently developed a module with full support for AMSLaTeX, Lilypond and Chess; and I wanted you to take a look before I incorporate it into Wiki.
WikiTeX introduces a new element, the "rend" element, which comes in block and inline form:
<rend class="music" style="tempo: 50" value="[content]" /> or: <rend class="math"> [content] </rend>
The rend element is indefinitely expansible by class modules, of which "math", "music" and "chess" are now supported.
http://69.44.153.14/wikitex.php
Best, Peter Danenberg
On Wed, Dec 10, 2003 at 04:10:35PM -0100, Peter Danenberg wrote:
Salve,
I've recently developed a module with full support for AMSLaTeX, Lilypond and Chess; and I wanted you to take a look before I incorporate it into Wiki.
WikiTeX introduces a new element, the "rend" element, which comes in block and inline form:
<rend class="music" style="tempo: 50" value="[content]" /> or: <rend class="math"> [content] </rend>
The rend element is indefinitely expansible by class modules, of which "math", "music" and "chess" are now supported.
Do you do anything about security ?
Do you do anything about security ?
That was in particular what I wanted you to take a look at, Tomasz. The templates exposed by the classes are limited; shell access is disabled (LaTeX); Python is running in safe (Lilypond); but I'm going to have to deal with \include elements, etc. ad hoc. And ad hoc runs contrary to texvc's methodology.
I'd be especially interested if we could crack it in its present form, however; or prove some crack concepts.
Best, Peter
On Wed, Dec 10, 2003 at 05:37:42PM -0100, Peter Danenberg wrote:
Do you do anything about security ?
That was in particular what I wanted you to take a look at, Tomasz. The templates exposed by the classes are limited; shell access is disabled (LaTeX); Python is running in safe (Lilypond); but I'm going to have to deal with \include elements, etc. ad hoc. And ad hoc runs contrary to texvc's methodology.
I'd be especially interested if we could crack it in its present form, however; or prove some crack concepts.
What about this:
<rend class="math"> \input /etc/passwd </rend>
\input-ting most stuff doesn't work, probably because of TeX-special characters in them, but there are the catcode tricks to go around this problem. I think that knowing structure of the server, or just guessing hard enough, it would be possible to get all files owned by apache, including those that contain passwords to the database. It's also quite likely that there are some ways to takeover the LaTeX process somehow.
If all these efforts fail, there's still good ol' DOS attack. It should be quite easy to create input that require exponential effort from TeX, and use a couple of them to destroy the server.
The moral: in the end you'll need a whitelist of allowed commands.
Peter, really impressed by your LaTeX features. I am (unfortunately) still user of LaTex and dont actually know how to implement macros. Therefore I just want to inform you about a macro for chemical structure formulas which can be found (inside the famous article by Haas/Kane) at: http://math-cs.cns.uni.edu/~okane/cgi-bin/newpres/papers/tex/ I hope this helps a little bit to make WP step by step the one and only invincable encyclopedia (more as it is already, great compliments to all the programmers - hope to join soon...). Cheers, Mark
-----Ursprungliche Nachricht----- Von: wikitech-l-bounces@Wikipedia.org [mailto:wikitech-l-bounces@Wikipedia.org]Im Auftrag von Tomasz Wegrzanowski Gesendet: Mittwoch, 10. Dezember 2003 18:14 An: Wikimedia developers Betreff: Re: [Wikitech-l] WikiTeX
On Wed, Dec 10, 2003 at 05:37:42PM -0100, Peter Danenberg wrote:
Do you do anything about security ?
That was in particular what I wanted you to take a look at, Tomasz. The templates exposed by the classes are limited; shell access is disabled (LaTeX); Python is running in safe (Lilypond); but I'm going to have to deal with \include elements, etc. ad hoc. And ad hoc runs contrary to texvc's methodology.
I'd be especially interested if we could crack it in its present form, however; or prove some crack concepts.
What about this:
<rend class="math"> \input /etc/passwd </rend>
\input-ting most stuff doesn't work, probably because of TeX-special characters in them, but there are the catcode tricks to go around this problem. I think that knowing structure of the server, or just guessing hard enough, it would be possible to get all files owned by apache, including those that contain passwords to the database. It's also quite likely that there are some ways to takeover the LaTeX process somehow.
If all these efforts fail, there's still good ol' DOS attack. It should be quite easy to create input that require exponential effort from TeX, and use a couple of them to destroy the server.
The moral: in the end you'll need a whitelist of allowed commands. _______________________________________________ Wikitech-l mailing list Wikitech-l@Wikipedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Done; the new tag is <rend class="chem"></rend>. I ended up going with the slightly more modern PPCH-TeX package; you can read about it under "documentation".
If you're particularly wedded to the CHEM-TeX package you mentioned, let us know.
Best, Peter
Peter-
I would prefer to have the tags called <math>, <music>, <chess>, <chem>, <greek>
etc.
The basic idea of wiki is to make everything fast and easy to learn. Why should people have to type <rend class="music"> when they could just type <music>? Using the above scheme would also eliminate the need for converting existing <math> tags, but that's a minor advantage.
Regards,
Erik
Good point; here's what people had to say about <math> tags in 2002:
From: "Derek Moore" jizzbug@hotmail.com
What about <math> ... </math> conflicting with MathML?
From: Toby Bartels toby+wikipedia@math.ucr.edu
A simple equation like <math>x + y = z</math> looks ugly.
I thought a modular approach might avoid some confusion and simplify expansion in the future; but the simpler forms you're suggesting actually process more efficiently.
Keep in mind there's an optional condensed form:
<rend class=math value="$e=mc^2$" />
I'm wedded to neither, and we might be able to offer both during a transitional phase.
Best, Peter
Peter-
What about <math> ... </math> conflicting with MathML?
Just make a <mathml> tag if that ever becomes an issue (about 2010 when MathML gets mainstream support).
A simple equation like <math>x + y = z</math> looks ugly.
I don't get this one. And I don't think <rend class="math" value="x+y=z"/> is prettier.
Regards,
Erik
Indeed; if no one defends the modular approach we can save ourselves the typing:
<rend class=music style="tempo: 50">
would actually become
<music tempo=50>!
Best, Peter
Peter Danenberg wrote:
Good point; here's what people had to say about <math> tags in 2002:
From: "Derek Moore" jizzbug@hotmail.com
What about <math> ... </math> conflicting with MathML?
From: Toby Bartels toby+wikipedia@math.ucr.edu
A simple equation like <math>x + y = z</math> looks ugly.
I'm pretty sure that I was talking about how texvc ''rendered'' that input. Anyway, <math> is much less ugly than <rend class="math">, right? ^_^
-- Toby
Hi there.
I'll just allow myself to jump into this discussion randomly.
Erik Moeller wrote:
I would prefer to have the tags called <math>, <music>, <chess>, <chem>,
<greek>
Can someone remind me why exactly we want pseudo-HTML tags? Personally, I think it would make things more confusing because people who don't know HTML well will start thinking this is real HTML.
How about something much more wiki-like:
[math x + y = z] [music blah blah] etc.
Also faster to type because you don't need to duplicate the tag name in the end tag.
Timwi
Timwi-
Can someone remind me why exactly we want pseudo-HTML tags? Personally, I think it would make things more confusing because people who don't know HTML well will start thinking this is real HTML.
If people want to learn HTML, they can go to [[HTML]]. XML-like constructs in our syntax do not preclude them from doing so.
How about something much more wiki-like:
[math x + y = z] [music blah blah] etc.
I don't see how this is more wiki-like. Most wiki tags are only valid in a paragraph or line context - that's why they don't need a clear ending demarcation. When dealing with content that may span several pages, it's nice to have a clear ending marker, and the added redundancy is not just machine- but also human friendly. We also have <pre>, <nowiki> etc.
It also saves us lots of escaping should the not too uncommon character "]" ever occur inside one of these constructs.
Regards,
Erik
Erik Moeller wrote:
How about something much more wiki-like:
[math x + y = z] [music blah blah] etc.
I don't see how this is more wiki-like.
Wiki means quick, doesn't it? :-) It's more wiki-like in the same sense as ''this'' is more wiki-like than <em>that</em>.
Most wiki tags are only valid in a paragraph or line context - that's why they don't need a clear ending demarcation. When dealing with content that may span several pages, it's nice to have a clear ending marker, and the added redundancy is not just machine- but also human friendly. We also have <pre>, <nowiki> etc.
I dislike <nowiki> for the same reasons. (<pre>, however, is actual HTML, and there exists a wiki-syntax for it (beginning a line with a space), so it's not actually needed in wiki-articles.)
It also saves us lots of escaping should the not too uncommon character "]" ever occur inside one of these constructs.
You know, just after I submitted this I instantly regretted not having included more options or added some clarification, because comments like that were to be expected.
Firstly, the character "]" is rather unlikely to occur without a matching "[".
Secondly, I was only giving an example. There is no reason why it would have to be single square brackets. There are numerous ways to come up with a better syntax than <math>...</math>. To alleviate the "clear end marker" problem, you could use triple square brackets: [[[math x + \left[\frac{y}{2}\right] = z ]]] which is still way easier than <math>...</math>.
Furthermore, to even alleviate the problem of having to type "math" and the added problem that that is anglocentric anyway, one could use [[[...]]] for math, [{{...}}] for chem, [!!...!!] for music, etc.etc.
Greetings, Timwi
On Sat, Dec 13, 2003 at 12:56:12AM +0000, Timwi wrote:
I dislike <nowiki> for the same reasons. (<pre>, however, is actual HTML, and there exists a wiki-syntax for it (beginning a line with a space), so it's not actually needed in wiki-articles.)
Wiki <pre> != HTML <pre>
<wiki-pre> = <html-pre><nowiki>
On Dec 12, 2003, at 16:56, Timwi wrote:
I dislike <nowiki> for the same reasons.
FWIW, we inherited <nowiki> from UseModWiki.
However <math> is our own invention and we shall pay for it in the next WikiLife. ;) For extra confusion, <math> is the root element in MathML, but our <math> is TeX-based. I think we ended up using it because no one could agree on an obscure symbol to use or the exact semantics thereof.
-- brion vibber (brion @ pobox.com)
On Fri, Dec 12, 2003 at 05:30:56PM -0800, Brion Vibber wrote:
For extra confusion, <math> is the root element in MathML, but our <math> is TeX-based.
That's precisely why I decided to go <rend class=math>, etc., and pre-empt once and for all compatibility problems.
Best, Peter
To even alleviate the problem of having to type "math" and the added problem that that is anglocentric anyway, one could use [[[...]]] for math, [{{...}}] for chem, [!!...!!] for music, etc.etc.
If we decided against the modular <rend class=music> approach and prefer the token <music>, do we have a consensus on form; whether XML <music>, wiki-esque [[[music]]], or allomorph [!!...!!]?
Best, Peter
On Mon, Dec 15, 2003 at 07:34:16PM -0100, Peter Danenberg wrote:
To even alleviate the problem of having to type "math" and the added problem that that is anglocentric anyway, one could use [[[...]]] for math, [{{...}}] for chem, [!!...!!] for music, etc.etc.
If we decided against the modular <rend class=music> approach and prefer the token <music>, do we have a consensus on form; whether XML <music>, wiki-esque [[[music]]], or allomorph [!!...!!]?
Please, let's use <music></music>, `[' has too many meanings already.
Tomasz Wegrzanowski wrote:
On Mon, Dec 15, 2003 at 07:34:16PM -0100, Peter Danenberg wrote:
To even alleviate the problem of having to type "math" and the added problem that that is anglocentric anyway, one could use [[[...]]] for math, [{{...}}] for chem, [!!...!!] for music, etc.etc.
If we decided against the modular <rend class=music> approach and prefer the token <music>, do we have a consensus on form; whether XML <music>, wiki-esque [[[music]]], or allomorph [!!...!!]?
Please, let's use <music></music>, `[' has too many meanings already.
Interesting that you should say that, with "<" having similarly many if not more meanings already.
It doesn't have to be "[", but personally I'm rather strongly opposed to mimicking HTML/XML when it's not actually HTML or XML.
Timwi
Timwi-
It doesn't have to be "[", but personally I'm rather strongly opposed to mimicking HTML/XML when it's not actually HTML or XML.
It is XML syntax. Making the entire wikisyntax XML is of course unwiki. But in the case of multi paragraph constructs, it's useful and intuitive.
Given that there is unlikely to be support for your proposed syntax, you'll either have to come up with a better one or tolerate this one, which extends the current <math> syntax.
Regards,
Erik
Erik Moeller wrote:
Given that there is unlikely to be support for your proposed syntax, you'll either have to come up with a better one or tolerate this one, which extends the current <math> syntax.
I can only repeat that the syntax I "proposed" was only an example. I agree there are disadvantages to it, even though I think it's still much better suitable for an international wiki than <math>...</math>.
It is pretty easy to come up with hundreds of possible syntaxes that are all way better than <math>...</math> if only for the fact that they are not anglocentric:
{{{ ... }}} {!! ... !!} {?? ... ??} {@ ... @} {$ ... $} # I actually like this one -- TeXy {$$ ... $$} # or that {= ... =}
{!123 ... !} for math and {!o/~ ... !} for music (OK, not really serious)
You'd just have to pick one. Any one. It really doesn't matter which.
Timwi
Peter Danenberg wrote:
{!o/~ ... !} for music (OK, not really serious)
Is it a serious consideration that none of the examples are intuitive; or is that more than made up for by the de-anglicization?
No matter what mark-up is chosen, people would have to learn it for the first time either way. Even to people who know both HTML and English, <math>...</math> is at best slightly easier to remember, but not intuitive to come up with.
Once you have inserted three formulas, you'll have remembered the mark-up, no matter what it is (assuming it's not *#@&$^%@*#^$%*^$% ... %$^*%$^#*@%^$&@#*).
This is therefore not much of a consideration.
Timwi
Timwi-
It is pretty easy to come up with hundreds of possible syntaxes that are all way better than <math>...</math> if only for the fact that they are not anglocentric:
Indeed. They are Perl coder centric. Is it a coincidence that you are one? :-)
Regards,
Erik (Perl coder)
Erik Moeller wrote:
Timwi-
It is pretty easy to come up with hundreds of possible syntaxes that are all way better than <math>...</math> if only for the fact that they are not anglocentric:
Indeed. They are Perl coder centric.
I don't see how they are. Just because of the curly braces, or what? I've only used those because people have been complaining about square brackets.
Timwi
On Mon, Dec 15, 2003 at 08:27:21PM +0000, Timwi wrote:
Interesting that you should say that, with "<" having similarly many if not more meanings already.
It doesn't have to be "[", but personally I'm rather strongly opposed to mimicking HTML/XML when it's not actually HTML or XML.
`<' has only one use - starting/closing named tags. And adding more tags is consistent with it. It's also trivial to parse.
Why are you opposed to using '<' this way ? I'm personally rather strongly in favour, so I wonder what are your reasons. Is it because you think people may confuse Wiki markup with XML (I don't think such confusion is likely to happen), or because you don't like <foo></foo> tags in general ?
Currently if en is down and en2 is working the casual user cannot easily do anything useful because any attempt at using a special he will be pointed to en also en2 get its images from en.
To fix it would seem sensible to mirror images on both or get images from the new beast (link the file systems) and after being redirected to en or en2 the defaults on those servers need to point at themselves not www. (fix local settings?)
This would allow cleaner access for the user and less stress there is no need to go to www every time (will reduce connects).
There seems to be a regular slow down early evening 6-8pm uk time.
We need a european timezone developer who can restart apache when this occurs.
Dave Caroline aka archivist
Tomasz Wegrzanowski wrote:
On Mon, Dec 15, 2003 at 08:27:21PM +0000, Timwi wrote:
Interesting that you should say that, with "<" having similarly many if not more meanings already.
It doesn't have to be "[", but personally I'm rather strongly opposed to mimicking HTML/XML when it's not actually HTML or XML.
`<' has only one use - starting/closing named tags. And adding more tags is consistent with it. It's also trivial to parse.
Those tags, however, have many meanings. Some are "real" HTML (like <table>, which fortunately we managed to introduce a Wiki syntax for), some are "mixed" (like <pre>) and some are "bogus" (like <math>).
'<' has additionally the meaning of <.
Why are you opposed to using '<' this way ? I'm personally rather strongly in favour, so I wonder what are your reasons. Is it because you think people may confuse Wiki markup with XML (I don't think such confusion is likely to happen), or because you don't like <foo></foo> tags in general ?
I've pretty much laid out my reasons already ((1) "math" is anglocentric, (2) Wiki markup and XML should not be confused, and (3) {{{ blah }}} is always easier to type than <math> blah </math>, and not any more difficult to parse)...
... but I think I've made more of a fuss of it than I really intended. I don't actually care as much as I'm making it sound in this thread. Since there hasn't been any noticeable support of my proposal, I guess I'll retreat now.
Timwi
Tomasz Wegrzanowski wrote:
What about this:
<rend class="math"> \input /etc/passwd </rend>
\input-ting most stuff doesn't work, probably because of TeX-special characters in them, but there are the catcode tricks to go around this problem. I think that knowing structure of the server, or just guessing hard enough, it would be possible to get all files owned by apache, including those that contain passwords to the database. It's also quite likely that there are some ways to takeover the LaTeX process somehow.
If all these efforts fail, there's still good ol' DOS attack. It should be quite easy to create input that require exponential effort from TeX, and use a couple of them to destroy the server.
The moral: in the end you'll need a whitelist of allowed commands.
That moral does not follow. (If it did, sites like Planetmath.org and arXiv.org would be in trouble!)
\input should simply be forbidden, like \write , \include , and, well, just about any command that reads files liberally. There are only a few of these, and we can check with the above sites if we want to make extra certain that we have not missed any.
As for exponential computing effort, most TeX installations normally stop working after a small memory limit has been reached. Again, we can check with the above sites if we want to check that this is really enough.
I don't mean to say that Peter, or his helpers, don't have the onus to check carefully and report to the list why they are sure that they have removed /all/ bad commands. But the blacklist is finite.
The moral: when Donald E. Knuth writes a program instead of Microsoft, then it is not riddled with security flaws. ^_^
-- Toby
On Wed, Dec 10, 2003 at 02:46:49PM -0800, Toby Bartels wrote:
Tomasz Wegrzanowski wrote:
What about this:
<rend class="math"> \input /etc/passwd </rend>
\input-ting most stuff doesn't work, probably because of TeX-special characters in them, but there are the catcode tricks to go around this problem. I think that knowing structure of the server, or just guessing hard enough, it would be possible to get all files owned by apache, including those that contain passwords to the database. It's also quite likely that there are some ways to takeover the LaTeX process somehow.
If all these efforts fail, there's still good ol' DOS attack. It should be quite easy to create input that require exponential effort from TeX, and use a couple of them to destroy the server.
The moral: in the end you'll need a whitelist of allowed commands.
That moral does not follow. (If it did, sites like Planetmath.org and arXiv.org would be in trouble!)
\input should simply be forbidden, like \write , \include , and, well, just about any command that reads files liberally. There are only a few of these, and we can check with the above sites if we want to make extra certain that we have not missed any.
As for exponential computing effort, most TeX installations normally stop working after a small memory limit has been reached. Again, we can check with the above sites if we want to check that this is really enough.
That's fine for a cracker. To DoS Wikipedia you'd need to send only N requests per minute, for some rather small N, and for each request smaller than 1kB. "Computational complexity DoS" isn't anything new.
I don't mean to say that Peter, or his helpers, don't have the onus to check carefully and report to the list why they are sure that they have removed /all/ bad commands. But the blacklist is finite.
The moral: when Donald E. Knuth writes a program instead of Microsoft, then it is not riddled with security flaws. ^_^
You're wrong, because there are so many modules available, and each of them may introduce new dangerous functions in some new version. You'd need to check every single functions whether it's safe or not, and ban all functions not checked, thus getting a nice whitelist. Otherwise, you're just asking for troubles.
TeX is extremely complex and it wasn't written with security in mind. Putting it on CGI isn't a very wise idea.
Tomasz Wegrzanowski wrote:
Toby Bartels wrote:
As for exponential computing effort, most TeX installations normally stop working after a small memory limit has been reached. Again, we can check with the above sites if we want to check that this is really enough.
That's fine for a cracker. To DoS Wikipedia you'd need to send only N requests per minute, for some rather small N, and for each request smaller than 1kB. "Computational complexity DoS" isn't anything new.
Do you mean N individual requests to TeX something? Sure, that's a DoS attack, but how is texvc safe from that? How is the regular wiki parser safe from that, for that matter?
The moral: when Donald E. Knuth writes a program instead of Microsoft, then it is not riddled with security flaws. ^_^
You're wrong, because there are so many modules available, and each of them may introduce new dangerous functions in some new version. You'd need to check every single functions whether it's safe or not, and ban all functions not checked, thus getting a nice whitelist. Otherwise, you're just asking for troubles.
None of the many modules for TeX is capable of introducing new I/O commands. So you check each relevant module for its use of these commands.
TeX is extremely complex and it wasn't written with security in mind. Putting it on CGI isn't a very wise idea.
Then DoS PlanetMath or arXiv and see how well you do. I mean, state specifically, if it is possible, what you would do. You never explained this the last time we had this conversation, to me or anybody else.
-- Toby
On Wed, Dec 10, 2003 at 05:02:54PM -0800, Toby Bartels wrote:
Tomasz Wegrzanowski wrote:
Toby Bartels wrote:
As for exponential computing effort, most TeX installations normally stop working after a small memory limit has been reached. Again, we can check with the above sites if we want to check that this is really enough.
That's fine for a cracker. To DoS Wikipedia you'd need to send only N requests per minute, for some rather small N, and for each request smaller than 1kB. "Computational complexity DoS" isn't anything new.
Do you mean N individual requests to TeX something? Sure, that's a DoS attack, but how is texvc safe from that? How is the regular wiki parser safe from that, for that matter?
TeX is extremely complex and it wasn't written with security in mind. Putting it on CGI isn't a very wise idea.
Then DoS PlanetMath or arXiv and see how well you do. I mean, state specifically, if it is possible, what you would do. You never explained this the last time we had this conversation, to me or anybody else.
I mean, something like this:
<rend class="math"> \renewcommand{\a}{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} \renewcommand{\b}{\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a} \renewcommand{\c}{\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b} \renewcommand{\d}{\c\c\c\c\c\c\c\c\c\c} \d </rend>
Then, http://69.44.153.14/wikitex.php stops rendering if I make the input much bigger. Is it on so purpose or does it have real performance problems even with such a short piece of TeX ?
You can't use such tricks with texvc or Wiki parser.
The moral: when Donald E. Knuth writes a program instead of Microsoft, then it is not riddled with security flaws. ^_^
You're wrong, because there are so many modules available, and each of them may introduce new dangerous functions in some new version. You'd need to check every single functions whether it's safe or not, and ban all functions not checked, thus getting a nice whitelist. Otherwise, you're just asking for troubles.
None of the many modules for TeX is capable of introducing new I/O commands. So you check each relevant module for its use of these commands.
Are you willing to check every module in TeX distro that it doesn't use I/O commands in a way that could be abused by a cracker ? Or is there maybe some version of TeX that simple doesn't contain any dangerous commands ? That would really be much nicer.
Of course, I'm paranoid. Probably nobody would care enough to look for a hole, no matter how big it was. But I'd feel much better if there were a few lines of Perl somewhere, implementing security whitelist, even without any correctness validation.
Tomasz Wegrzanowski wrote:
Toby Bartels wrote:
Then DoS PlanetMath or arXiv and see how well you do. I mean, state specifically, if it is possible, what you would do. You never explained this the last time we had this conversation, to me or anybody else.
I mean, something like this:
<rend class="math"> \renewcommand{\a}{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} \renewcommand{\b}{\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a} \renewcommand{\c}{\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b} \renewcommand{\d}{\c\c\c\c\c\c\c\c\c\c} \d </rend>
Then, http://69.44.153.14/wikitex.php stops rendering if I make the input much bigger. Is it on so purpose or does it have real performance problems even with such a short piece of TeX ?
My local TeX installation has no problem with this, but if I go on to use \newcommand{\e} and make one more step, then it stops with this error:
! TeX capacity exceeded, sorry [main memory size=1000001].
Naturally, TeX is designed this way on purpose! This is /why/ it does not overload the server, because it has artificially limited memory capacity. By messing with our local TeX installation, we can set this limiting capacity to whatever we want, in order to ensure that TeX uses up only so much of our computing power.
You can't use such tricks with texvc or Wiki parser.
It's not much of a trick. It's certainly not a DoS attack; all that happens is that TeX stops running and the input is not rendered. This is basically the same thing that happens when texvc gets <math> \SomeCommandThatDoesNotExist </math>; the program exits with an error.
Now, maybe wikitex doesn't handle this error properly! If wikitex crashes the server (to speak in hyperbole) when it gets an input that it can't properly compile, then that is bad. But if it instead prints "! TeX capacity exceeded, sorry [main memory size=1000001].", then it handles errors about as well as texvc does.
(In fact, the prototype at http://69.44.153.14/wikitex.php prints nothing at all, which is a user-friendliness problem, but hardly a security flaw.)
None of the many modules for TeX is capable of introducing new I/O commands. So you check each relevant module for its use of these commands.
Are you willing to check every module in TeX distro that it doesn't use I/O commands in a way that could be abused by a cracker ? Or is there maybe some version of TeX that simple doesn't contain any dangerous commands ? That would really be much nicer.
First, we don't have to check every module in any TeX distribution; we only have to check those modules that we choose to allow. If we don't have the module installed, then they can't use it! By itself, TeX has a few file I/O commands like \input and \write ; no module has file I/O commands that don't work by calling these. LaTeX has had a great deal of tasting, and its commands should be trusted, so this gives us several additional file I/O commands to look for. Yet most modules never use any of these! We can refuse to install those that use file I/O commands that we haven't checked thoroughly.
Peter should assure us that he has gone through, say, the chess module and checked that it doesn't use any file I/O commands other than, say, \wlog (which writes to the log and cannot access any other file). Otherwise I would not trust the module in question.
Of course, I'm paranoid. Probably nobody would care enough to look for a hole, no matter how big it was. But I'd feel much better if there were a few lines of Perl somewhere, implementing security whitelist, even without any correctness validation.
Actually, I think that this is a perfectly reasonable security doublecheck. I don't think that we have any need for the kind of TeX programming that defines new commands; if we disable \renewcommand as well as \input , then I don't think that anything that Axel or I want to do with TeX is lost. If this changes later on, then we can revisit the issue when that happens, because in the end, I don't think that it is really necessary; but until then, it should be reasonable to satisfy you in this way. Do you see any problem with this, Peter? What if Tomasz submits a patch that does this?
BTW to Peter:
I see that <rend class="math"> simply puts us inside LaTeX. I think that it ought to put us directly inside the {equation*} environment. Users don't want to have to type \begin{equation*} and \end{equation*}.
-- Toby
On Thu, Dec 11, 2003 at 11:01:40AM -0800, Toby Bartels wrote:
(In fact, the prototype at http://69.44.153.14/wikitex.php prints nothing at all, which is a user-friendliness problem, but hardly a security flaw.)
I was forced to defer more complex error handling until we migrate to a GUILE backend; but for our current bash implementation we can institute a generic error handler.
Otherwise I would not trust the module in question.
See the documentation at http://69.44.153.14/wikitex_doc.htm for current blacklists; we'll continue to publish, as appropriate, module-specific blacklists.
It seemed prudent, for instace, to disable GUILE directives in Lilypond; though Lilypond author Han-Wen Nienhuys thinks GUILE's safe module may suffice (see http://meta.wikipedia.org/wiki/Music_markup).
I think that it ought to put us directly inside the {equation*} environment.
Precisely; though authors will lose the ability to distinguish between block ({equation*}) and in-line ($) rendering unlike PlanetMath, convenience should have the preference here. We'll probably also place music directly into the \notes{} environment, in spite of several useful things that you can specify beforehand (\relative c'').
Best, Peter
Peter Danenberg wrote:
Salve,
I've recently developed a module with full support for AMSLaTeX, Lilypond and Chess; and I wanted you to take a look before I incorporate it into Wiki.
WikiTeX introduces a new element, the "rend" element, which comes in block and inline form:
<rend class="music" style="tempo: 50" value="[content]" /> or: <rend class="math"> [content] </rend>
The rend element is indefinitely expansible by class modules, of which "math", "music" and "chess" are now supported.
The Music notation thing is really really cool, and so is the chess!!
Lightning
wikitech-l@lists.wikimedia.org