Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can TeX code be safely executed from untrusted sources?

MediaWiki allows one to embed TeX math code that is rendered into images and posted into the Wiki pages. Is this safe? If one allows untrusted users to input TeX programs to be executed by an interpreter running in a web server, does it open the server up to being hacked by using the TeX interpreter to read files from the server's disks? Is there a way to execute untrusted TeX code safely?

like image 264
Arcane Avatar asked Jan 21 '09 22:01

Arcane


2 Answers

Obviously TeX is able to open and write files through normal operation, which is a possible attack vector. Putting the execution into a sandbox or jail should take care of that.

Be sure to disable \write18, which allows a TeX source file to execute OS commands. There's no good reason to allow that mechanism.

As for the TeX interpreter itself, I'd say there is very little to worry about as it likely has the least significant bug count of any full-featured interpreter ever written. Some other part of your stack will be a far bigger target.

like image 168
Jon Ericson Avatar answered Oct 05 '22 06:10

Jon Ericson


If your TeX distribution uses the Kpathsea library (it probably does), see the Security section in its documentation.

like image 28
Jouni K. Seppänen Avatar answered Oct 05 '22 06:10

Jouni K. Seppänen