Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by h2774747.stratoserver.net (8.15.2/8.15.2/Debian-3) with ESMTP id w7OJC1Xb032325 for ; Fri, 24 Aug 2018 21:12:02 +0200 Received: from relay2.uni-heidelberg.de ([129.206.119.212]) by mx-ha.gmx.net (mxgmx014 [212.227.15.9]) with ESMTPS (Nemesis) id 1MtvlW-1ff2xz2uOi-00uTye for ; Fri, 24 Aug 2018 21:11:55 +0200 Received: from listserv.uni-heidelberg.de (listserv.uni-heidelberg.de [129.206.100.94]) by relay2.uni-heidelberg.de (8.15.2/8.15.2) with ESMTP id w7OJBtPn006537; Fri, 24 Aug 2018 21:11:55 +0200 Received: from listserv (localhost [127.0.0.1]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id 623F61250EB; Fri, 24 Aug 2018 20:17:51 +0200 (CEST) Received: by LISTSERV.UNI-HEIDELBERG.DE (LISTSERV-TCP/IP release 16.0) with spool id 29077401 for LATEX-L@LISTSERV.UNI-HEIDELBERG.DE; Fri, 24 Aug 2018 20:17:51 +0200 Delivered-To: LATEX-L@listserv.uni-heidelberg.de Received: from relay2.uni-heidelberg.de (relay2.uni-heidelberg.de [129.206.119.212]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id 42AB51238CA for ; Fri, 24 Aug 2018 20:17:51 +0200 (CEST) Received: from mail-wm0-f48.google.com (mail-wm0-f48.google.com [74.125.82.48]) by relay2.uni-heidelberg.de (8.15.2/8.15.2) with ESMTPS id w7OIHjAj024807 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 24 Aug 2018 20:17:47 +0200 Received: by mail-wm0-f48.google.com with SMTP id t25-v6so2468964wmi.3 for ; Fri, 24 Aug 2018 11:17:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=kK6hIJAMUbNeyePtRr8jD+rpAc+IMWxYXid9mSA+9KU=; b=iOP9YDKV5M6UvL/NBb2zEDxc0V+9oyTsdE+48hneizFTXIoa6r5qJr5iOc2iiwW/dl BIhexJesKwTRVpK4jz0J5Fel+xVI2QxoYpsBmkQHBQnvPddU16yYb2HivfJ2g71mi2WK mNljLNTNbCfv8fJ5RWoqR/1UfYPpdDCELEoUlYPb4eSv5/exHISTCZ215uKwnLj494yT 4UFNftXi+gxjPKOQcNOccLc/bVxoDE/WV9/fQoYu+3qotKd4/AamS5qGep6de4CHEuZ7 1fXCuBU0mlxI1FF7BZTkqnIUYVox1iq65PqoC/T/oxFZ3xBsbqNLubZlQsDO/dVrUM/3 gA/g== X-Gm-Message-State: APzg51D1AoYQtz15hd59lNitTzJRo0vBc6QputKK8c74ErTtQDFjMW05 kNxLB/k/lZbS035g/OiHheUJhJA4irI= X-Google-Smtp-Source: ANB0Vdac0Ye5mow8dFCX2LIyvo4/zy6V2qVQuSJZj9SqFUR0PClPX+AcjoZMm6uwam6mRY3NEgEWzw== X-Received: by 2002:a1c:578a:: with SMTP id l132-v6mr2125072wmb.16.1535134664681; Fri, 24 Aug 2018 11:17:44 -0700 (PDT) Received: from [10.101.2.98] ([176.12.107.140]) by smtp.gmail.com with ESMTPSA id o19-v6sm6033765wro.50.2018.08.24.11.17.43 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Aug 2018 11:17:44 -0700 (PDT) References: <7aac3298-e217-7dfe-6787-ad1b69f43fc4@morningstar2.co.uk> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit Message-ID: <44b7823e-d23a-6662-d777-f3b30ac4b2b5@morningstar2.co.uk> Date: Fri, 24 Aug 2018 19:17:43 +0100 Reply-To: Mailing list for the LaTeX3 project Sender: Mailing list for the LaTeX3 project From: Joseph Wright Subject: Re: System shell functions To: LATEX-L@LISTSERV.UNI-HEIDELBERG.DE In-Reply-To: Precedence: list List-Help: , List-Unsubscribe: List-Subscribe: List-Owner: List-Archive: Envelope-To: X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3; X-UI-Filterresults: notjunk:1;V01:K0:Ixk1lZcarGU=:Cp8zRqq2vZqxtxB/JUPwGXI+IP Ba14o5S6Be8Bjnbh0u/BGJOqy92IyOUGWZ9ZFTv5mad6+ZS7gEG6/34dwwYhNqMcac2MeO6XA 6jxYtx5G2tkDfZEu6QHVudi+hOsgC7QOcHocMqZ22wioorAzUTgkaU79nmoEF+CBPr3jjieby 71yZZqOcnW14sv6zGJd02mKClg1G3YBiMR/4MHBq789ewuNZfd+Xbmndcc0OPvnJI8iIReBv2 KMH6H3sIvv5PuIFnym6MpH+odXX5nMKYV1e0FU3+u+zfNCN0bSshDkkB4Ws1fztYa4jERA6u7 0MvsB+tsRrkIFx/Dc4LGqoAcdnEA9dYZznH5YcdBOxm+lMr0MIuH8OMXN+fpt+4W/drKjWQ9I E8whtGdFWhOme3J6Zr+CqrClg2J+vq/NSAXU7eAToxGDE1lPIF7VPwgVkxgakjwF5mQ+pVcfD 9qt9LJ6YP5G2x3RFljxt7UBoLN5LMLa4nonXULS5en5+3IrxXulHLMr6QUJOSYDOX5hyU9SK2 +93YiczHMaan+pgUl9o1Zff6G7mDtk3vdv3WYSZcGX6bZEeWEQVaj/cnQN7Uu5i35SNWBlgx8 VEK13PTxhtplIyzTIBCaCQUQurl+pPsJu5OcH+i8DaQP8l7Qux72lDf70wVCHTdLqnQ2R/iDw ySruOZzzIOVgsDRetSs0NPiuUt6+Y+DxyQZRPuZOTaAJcVd5lueZbvhVV/JLp0mf6HPqiGGXo qviVg1q9Cw9uACzegN79jQYSrQmt+5dkFx+mW4BrvxVbcNdY5U9gXjFAdQ4pVYi+IkAOjSkqZ mbYDk3s4ZR2/PKgXx3wbJ0SwR44ciHLk5Bco8ZySfSP+9GKTri5rMMbc9NYrsuIJCvTCUXFoM jBldkV189eVioZaidQgJaK9+DILB9cNLw/ncZzDO8twMk1I9V8kaRi9L0QCXfHKMGJ6SF4kHf e1v35kjXnhdkY69bRY0oH7lvxIj0qXbpcBoA/18ruCuekaeXAwkhz+97vgvFo2t5QQKT6+X5e cARD8etb8Syp8WikRuQZzNRbO/esENTrXJVKY4BUQhMa6ACVAmy9N56ansLiINJp653fjzRJ6 NO/wLZNLDs6/u3krVf3B635U7h6R5wGHBGaN2/rtORot3+6+UTwKTbJY4ssaSZNU1hvfCGH30 UNvCxGHC/VnmxTQWM+LXNq2jXh668mN0ZCVn7Y9lt7Oq0F2NVDVvgqPhTQ2EmCWSf9BV7Dike fMKYRnyc5ZruyoppcoB3yMF4W27AQUE6mdEs0egZ047yP1oxxJLtvgLMGy0aIrSRf4Oe7+umw tQ8oVwKoTI65xR6eD0iBxGaI7i2Q3NrSQ+Zmdht21lksjnkk6LArjmZ5pyFQzhzZ+MzCd9zJL DHwEGNilpAzdDxNILlrKZZXA2HuTodNWxd7OKoQT5i3cldg1F5RP0FFvALo3P1yDmIy4w6JIv xD3r7Ryxkda3iA9AfGtLH7PCYerL1Mi96a4b4CyrihOdKZY1+eGuxu98N86ltHlGcS6GI6c+o jp6iin3kJmX1/+uQ0MW2Hthe3O9Cpe3NGJRR9LkB2SH3vpRHKdyPMcNvCUhL85PErjxJOXLdp L/w4L9UmdyW+KXwaoYhKAZVbXteVz5lMPsCh8fpRqSsxaxUeRRaL0/TVTeMTnM97EMEtAR08T MDXC7X7eVHvEW1nPPyVdCXlghpMcewfgNej4KwM/4EpSr44AaNBcXiLPfdfb/Fa1N/6yct/I6 F1NbpknwNvsZ2XzrgmC+cByY6CO7xmq71lnw32cWerhHNpIWyng1B6me0uCeyNfoTz210E7u3 LEunkvVpKEWkRT8a8YXVOhyi+9FlaoiMt3zpWu6kX6XEtOt47u9S+J1Hi3lbg/YWa98su3OF8 vAtdtnE0KU9SzDx7Xx4UO01tgTlk8m9MY0SOEKdoOLJmb99ibzCLGzlCHDeXwkBlYT/r1U2D1 FXxsgBkmWX+OuLXOaVwiW7Uk/pIpOLxpyLOKRwS7n0i9EI5MaXf X-UI-Loop:V01:B/uY2J3mcXs=:2exW2zasDnnkUvCQ/s5+Mchhpe3yvAEDS/v0ap9yIc0= X-UI-Out-Filterresults: notjunk:1;V01:K0:O1iTCQ3LJjw=:QxnDqg2sBsYHvGIffi0q9A DeIUO+3iPVYG/Mj/9f5MwbNth2r0fT9Tm4/Fh0QxUNFygpZ4b5UiI+Avaw51EB7Wx9NdGzaTS yuINGL7uKNDh4mbZ0g+DmKCfDjthFcLajQR3jWCKuN08wDg3kctycvnAkn+bWCFL3LGBHbC0+ Ojuu5bxXBIR9GRVmmx/8f6I0lBMBg5hjSi43WtUm0rSbW8foCEvWQZeb0WsPVkpqUCT6JmeAr LA4YnklbLuG1i3uQihXu1zBNfGKLuzxqGYSElT3cSBdQgLqKR5xEE+3Us/t6cge/iiqqcp5a2 0ltTdq8aSQg/GhulytEuQWVhMmebftRejMJNScbEV7tlnz7ZOyLNF8z6iLCe/qG7bmu5E//73 6TjpiuGmAEhc39s4oY9oN+Pth1SL+l1TOuXagcYlXyVAWPDsz+hfKh2B2mXCJWfpiGs+pYqd1 vPDSgApKL2QljktypcD3kfEdRcECccc= X-Scanned-By: MIMEDefang 2.78 on 81.169.212.23 Status: R X-Status: X-Keywords: X-UID: 8064 On 24/08/2018 18:10, Jonathan Fine wrote: > Hi Joseph > > Thank you for your email on l3sys-shell. You wrote: > > There are two broad questions we have. First, how do people feel about >> these concepts? We can see that there may be some security concerns, hence >> not adding directly to the expl3 core. However, as one has to be running >> with unrestricted shell escape anyway, we are not sure if providing macro >> wrappers makes these worse: > > > I'm not a security expert. Are you, Joseph? In any case, I've asked your > question on stack exchange, and put a code review comment on github. Here's > the URLs > > - > https://security.stackexchange.com/questions/192249/concerns-about-latex-3-shell-escape-code > - > https://github.com/latex3/latex3/commit/7b62e64dde239f9cb6ae0f08400c0b5ccde815d8#diff-09def3f98d60fce78fbcc00e77c65795R3093 > > I hope you'll get a useful response from a security expert. > > best regards > > Jonathan > . Hello Jonathan, Once one allows unrestricted shell escape, all bets are off in terms of what an arbitrary package can do. However, there are legitimate uses for file operations: see e.g. pstool. (Other packages use non-restricted escape, for example minted to run pygmentize.) Thus the question is whether on balance it seems better to say 'each package that wants to do such operations should write them out itself' or 'we will provide an abstraction'. Clearly, the latter could be seen as 'easier' for a malicious actor to use. On the other hand, writing platform-neutral abstractions for e.g. "remove all files" is actually not that difficult. So the barrier is low. At present, we've put the operations in a separate file specifically so they have to be loaded explicitly. However, one can see that they may be loaded by a third-party package, e.g. pstool could be altered to do this. They'd then be 'hidden' to some extent. It's important to emphasise that with a normal TeX Live or MiKTeX set up, these macros will not do anything as *they are restricted by the engine settings*. As such, there is already a 'user opt-in'. Joseph