Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by h2774747.stratoserver.net (8.15.2/8.15.2/Debian-3) with ESMTP id w7OJBoqj032322 for ; Fri, 24 Aug 2018 21:11:51 +0200 Received: from relay.uni-heidelberg.de ([129.206.100.212]) by mx-ha.gmx.net (mxgmx013 [212.227.15.9]) with ESMTPS (Nemesis) id 0Mgovg-1gFC3k4Boe-00M4oD for ; Fri, 24 Aug 2018 21:11:45 +0200 Received: from listserv.uni-heidelberg.de (listserv.uni-heidelberg.de [129.206.100.94]) by relay.uni-heidelberg.de (8.15.2/8.15.2) with ESMTP id w7OJBi9O014496; Fri, 24 Aug 2018 21:11:44 +0200 Received: from listserv (localhost [127.0.0.1]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id B503B1277A6; Fri, 24 Aug 2018 19:10:54 +0200 (CEST) Received: by LISTSERV.UNI-HEIDELBERG.DE (LISTSERV-TCP/IP release 16.0) with spool id 29077357 for LATEX-L@LISTSERV.UNI-HEIDELBERG.DE; Fri, 24 Aug 2018 19:10:54 +0200 Delivered-To: LATEX-L@listserv.uni-heidelberg.de Received: from relay2.uni-heidelberg.de (relay2.uni-heidelberg.de [129.206.119.212]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id 9EAC612777E for ; Fri, 24 Aug 2018 19:10:54 +0200 (CEST) Received: from mail-yw1-f50.google.com (mail-yw1-f50.google.com [209.85.161.50]) by relay2.uni-heidelberg.de (8.15.2/8.15.2) with ESMTPS id w7OHAmbR003011 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 24 Aug 2018 19:10:51 +0200 Received: by mail-yw1-f50.google.com with SMTP id n21-v6so3239284ywh.5 for ; Fri, 24 Aug 2018 10:10:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=gy7KBByETarPq8RE8vPoF7+nCN587zoircpPjAO6tQ0=; b=J2BTPnSIRqdSdUiEf6NE94Nf+hHvop1ViCVlvfe/48ZZk/0q9P9EjAHw6hmqJVTk67 57l6ke8sNa8uyYH1ifzW+AweAgYDIq6tvgTE8s7ToOvntexZ/ViFsvBefJXbgtoIUOS1 Uxp6ebJSu0FCcuTnPloaREAmkhu6POvr6Ng3OSl0nX7cWHD/k/ILwEgB86g8QZhV5fn2 Hzrgq7CK+ZSFdOxWjKeqAzLUrA/vytVmIgaTj59gxZQuPCjP4v6KLAB1zqAy6877amGx av58Ml3+ZAGF7FcuknCVxFGBTb3B9haLDiS0rT5kzELTXME2/49cobslh74bANFjVkV8 nYsg== X-Gm-Message-State: APzg51A+tf4ZLPKZLOOTBEWUsJJdlvQE9L83xKQu5Zqj5sW1uB8ZE4VC RETJ4tWfXDnX0BW62lBMN1hrlJ9Xy95x8GC1XEIMp77G X-Google-Smtp-Source: ANB0VdYRX4wQJYGPoWprYjzHct4DgzanbvJ8JdN3Mo00OC88je2jimpPMMzvq0+kk4GFnkC/s6namn1S58kyS4lkb1I= X-Received: by 2002:a81:7785:: with SMTP id s127-v6mr1576858ywc.233.1535130647345; Fri, 24 Aug 2018 10:10:47 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a81:7784:0:0:0:0:0 with HTTP; Fri, 24 Aug 2018 10:10:46 -0700 (PDT) References: <7aac3298-e217-7dfe-6787-ad1b69f43fc4@morningstar2.co.uk> Content-Type: multipart/alternative; boundary="000000000000eb3e690574317405" Message-ID: Date: Fri, 24 Aug 2018 18:10:46 +0100 Reply-To: Mailing list for the LaTeX3 project Sender: Mailing list for the LaTeX3 project From: Jonathan Fine Subject: Re: System shell functions To: LATEX-L@LISTSERV.UNI-HEIDELBERG.DE In-Reply-To: <7aac3298-e217-7dfe-6787-ad1b69f43fc4@morningstar2.co.uk> Precedence: list List-Help: , List-Unsubscribe: List-Subscribe: List-Owner: List-Archive: Envelope-To: X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3; X-UI-Filterresults: notjunk:1;V01:K0:hfMoLjO7qkc=:cYnUC5KiS3x0T2vFbYJRYlBL6G IJg83HbUvSOLukmtRdYZyXhgu3b0xAL+TLFNlezisB5JU/oGhm64zlswFXKJGbjzFPi0y0EXp lU7riu3xx6LFnVCvG+Jh+hf8IwndLi2aNVpHVUw0DcfGRA4s8X1xrYF20CHleMeOcj1RUHk6s JwXK/VSBrOF43iA/p+fnBLi/PACOl9lENCnGsmwPiJEajEwpT8x7TFcGdFepHOP7nd04i92KC p36zaoRKBUEy+4i7EiAiAMMQuLY3na+tkW0Xa7bs6iU0RAKlrgyNrrel6g+1reSviRerMxOqV QYpa777m7unQn67g4eRLRG0PQCfcuADzpp1fnHMxRJwnUpJJq0REY5YThcHfsIEnV9Tyd32LM nJORfKgSSfKSEFvdoEa2R4q1DJw/BupzSvnvrhl3ZqZXR9GyRvZ3nFp9B5zK/GudU+i5zssoG wqYhEjjlV1jLdBL7BEqSCyI0WCdS/tV5RYTS/yXAd8qvfpxIx/vV5SB+yB7vEtaYEq8aF66Qb uETapz1HjTozzV3+ZR1ZO2o7JAsmz6zmAPyXdKqI/0tWYeUIqZt8DclM1JabF4W78m5ujLk7l aLgMhsz+vAkRG2x227z5lmcSEgro1A9Ea83GFqSBms0s8q6XEY4SVLCR5N55Mct6VdLfTclKT nUZEJb94bJQg56HsZ+v6JJnZMeY8SauMPA+RvbiG161SAceQzQZqq+7JG866PkxRO9QZoIqKW uB0pWKL1uWcfmYJBo/eYr3iDWl0RBExZqDOZh0u1iwq4NcVjyMo/DW0uhNbpCVNTbS8wFT0Zg RIdoUhkDfOZkq5fc9+Tcxoc7Lg5am3djfGPc7CHEh/i4dPOvc5SJfIcx1IQd9/hN4rvvPH7rt bA+cmhWlskPC/udZKnRPlZwSE+Rvw195kgMn2NRbGslKsG1jsMWF36SU28ypzke8zKFTlrNGk 9YBPuwUETPyNXPK6tyfLakPu9aLnGXIeKQ9Mu2l/+4FY4yHecoA3BRQTtL+QowJURtg1Pnu3h INtb4Jdteql2OouoBfpwuRsHsgqGKa2vtudhBj912TBLJhTZDod8nphQX+ofAEEGWEpaO5Q+N 6Hw9A5HK93Qe6ipd5Ui/rfZe6xtmv0pHncAWZgrjilAqLD+G6aI/ZhXED4/IUv88PEgkwgf5V KlwHnc8nwZcwULT93K0exKFePTAXnVdhzVzpsAEBMP7pouLfHMK52LZ73c0d3vv2B3Gba4DoG UdJtASTV3RykuJyOK+gqWi4Oze5eP172cNY6RVBznGyEpiPSsdtCK1uA7dm/eamrZje8jbcRX 8BufodqWUJarAfqZyR4CWlMhRUJ4TrTtFMCBqFFfKxgvuCdcS8aor+nitEMK0zbkOO59YQ4bH rGCuh3MwvjzoFm+wpzLIUkMfBAws6XNPLp360u5QnWzu8KOokgZcyZXm/qX5TPJZqJGxcQwV3 9b4KskN4Cz89CquCBN7ew7CbJ8yKjx/VdwPiOTveH6Dl/Rrgj+eSZubKhglBLwAJNNXLPKaYW vD8M1j3/ceXrZytS1+dphhbRzkjgVoNAM0frp5pRl9APZ9iicPz+AHYyhs97rka12M58gSYLt G54Fgwa+pbmr6zO0zq/5mkVJSwuLqala20MHbwCwBTTzYt6Nhx1Lu0HpHawwt1aV7yilqeXcW K6/ZuWK73LPXvmh8jIQjg88aEAWA72GdahucQjFZlruVUJ1w112BDezdbRDjoz1xFq+SkWTa/ RwkiPdhky3zquxeXrUookUlsky2nWwrVJWDIlfc+64Ichcj8tnYGSVA8KL+sGcFGgKH2x9bRK IUy+EGMoAAehdG7wXUe3US0tUXi95OXYI5luh6UsPIcULOQn0d5ezPZkwEjqxARpNVvR8WTXm xNAIz9c4XEWiuKeNfT0JZ0ngL7n8TyS+OK887IUZ8EI59hoaG8lYXRbHz+CuWzJvLXlxDqlqB yDy5t0yRpM7ivNAPyFTnXUokFnkxjcYQQjg+WfGIqHLuMqKfGh7 X-UI-Loop:V01:oTThgm8JqZY=:sYUKJHN6sZzKbg7hqQcbX0ajjiD0+dqnTUDjy1cvbxA= X-UI-Out-Filterresults: notjunk:1;V01:K0:9S6oAmZO9Xs=:6kGv5NwTuV7x1WPI/PUMVG zqXqMzEcqEE5Q1twaMbj4wfPISjysn2S6RUYp/opuiBTkFegm9j9o6S/Im1+skZVfaw6nSudZ nW7GIB0KJ7hvSoLD3SVIR0qrnp+bU5u6ICaVGXXcSMHg9UXr2bq6M5apE+29+Yd/X+FyGv2s4 NcJ+wNT51y324du5rxlTg7qWTtB2PUUzdsq7n2wb2i6DMDs1wHmaMkzyCuAKYaNRO/J4VISoy ZoiJ5fcWifumB0jUJokI/3Hmnm+j9eRrEAuRAa9mTmYB0rO/tBoFiauF5WYdxP619VL16qf9L rPg7T1LCPZikvnaVbz2Tim/VYN6LAzVclUd2DqLxNwjvDOkdm2MaIB5aplylon08AfC2NNJoZ GdtrqBQomBk9/MAykyEMTr2Fl3dwWYHjfd6coEST5SSaCpG9+eqqkUmoVxBsa5D3xxv78Lmi9 yx4eKRq+NrFtveza80sKqWiexeOkpHo= X-Scanned-By: MIMEDefang 2.78 on 81.169.212.23 Status: R X-Status: X-Keywords: X-UID: 8063 --000000000000eb3e690574317405 Content-Type: text/plain; charset="UTF-8" Hi Joseph Thank you for your email on l3sys-shell. You wrote: There are two broad questions we have. First, how do people feel about > these concepts? We can see that there may be some security concerns, hence > not adding directly to the expl3 core. However, as one has to be running > with unrestricted shell escape anyway, we are not sure if providing macro > wrappers makes these worse: I'm not a security expert. Are you, Joseph? In any case, I've asked your question on stack exchange, and put a code review comment on github. Here's the URLs - https://security.stackexchange.com/questions/192249/concerns-about-latex-3-shell-escape-code - https://github.com/latex3/latex3/commit/7b62e64dde239f9cb6ae0f08400c0b5ccde815d8#diff-09def3f98d60fce78fbcc00e77c65795R3093 I hope you'll get a useful response from a security expert. best regards Jonathan --000000000000eb3e690574317405 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Joseph

Thank you for your email on l= 3sys-shell. You wrote:

There are two b= road questions we have. First, how do people feel about these concepts? We = can see that there may be some security concerns, hence not adding directly= to the expl3 core. However, as one has to be running with unrestricted she= ll escape anyway, we are not sure if providing macro wrappers makes these w= orse:

I'm not a security expert. Are y= ou, Joseph? In any case, I've asked your question on stack exchange, an= d put a code review comment on github. Here's the URLs
I hope you'll g= et a useful response from a security expert.

best = regards

Jonathan
--000000000000eb3e690574317405--