Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by h2774747.stratoserver.net (8.15.2/8.15.2/Debian-3) with ESMTP id w7PKOtA5027511 for ; Sat, 25 Aug 2018 22:24:56 +0200 Received: from relay2.uni-heidelberg.de ([129.206.119.212]) by mx-ha.gmx.net (mxgmx014 [212.227.15.9]) with ESMTPS (Nemesis) id 1MN3mp-1gC9rw42cf-00IwY8 for ; Sat, 25 Aug 2018 22:24:49 +0200 Received: from listserv.uni-heidelberg.de (listserv.uni-heidelberg.de [129.206.100.94]) by relay2.uni-heidelberg.de (8.15.2/8.15.2) with ESMTP id w7PKOncT027697; Sat, 25 Aug 2018 22:24:49 +0200 Received: from listserv (localhost [127.0.0.1]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id 9EE3D125A48; Sat, 25 Aug 2018 22:24:43 +0200 (CEST) Received: by LISTSERV.UNI-HEIDELBERG.DE (LISTSERV-TCP/IP release 16.0) with spool id 29106551 for LATEX-L@LISTSERV.UNI-HEIDELBERG.DE; Sat, 25 Aug 2018 22:24:43 +0200 Delivered-To: LATEX-L@LISTSERV.UNI-HEIDELBERG.DE Received: from relay2.uni-heidelberg.de (relay2.uni-heidelberg.de [129.206.119.212]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id 8FA071254A8 for ; Sat, 25 Aug 2018 22:24:43 +0200 (CEST) Received: from elasmtp-mealy.atl.sa.earthlink.net (elasmtp-mealy.atl.sa.earthlink.net [209.86.89.69]) by relay2.uni-heidelberg.de (8.15.2/8.15.2) with ESMTPS id w7PKOawH027641 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 25 Aug 2018 22:24:40 +0200 Received: from [80.43.169.3] (helo=[192.168.2.2]) by elasmtp-mealy.atl.sa.earthlink.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4) (envelope-from ) id 1ftf6p-000ECd-9E for LATEX-L@LISTSERV.UNI-HEIDELBERG.DE; Sat, 25 Aug 2018 16:24:35 -0400 References: <7aac3298-e217-7dfe-6787-ad1b69f43fc4@morningstar2.co.uk> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------DA4763BF4CBE758DD7CF0EE5" X-ELNK-Trace: 2d75d9567fada10dc3b6ad7bd0984c4474bf435c0eb9d47876b8852572ce062a4fc3bfeeade3f8234af46f6ef28063e3350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 80.43.169.3 Message-ID: <5164150e-54e3-0f63-a2ac-09cc724dcf96@earthlink.net> Date: Sat, 25 Aug 2018 21:24:34 +0100 Reply-To: Mailing list for the LaTeX3 project Sender: Mailing list for the LaTeX3 project From: Peter Wilson Subject: Re: System shell functions To: LATEX-L@LISTSERV.UNI-HEIDELBERG.DE In-Reply-To: Precedence: list List-Help: , List-Unsubscribe: List-Subscribe: List-Owner: List-Archive: Envelope-To: X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3; X-UI-Filterresults: notjunk:1;V01:K0:lEnwbVNL7AE=:ax6dDgDGDasnRp5F6Z009Tr77t 3a/52GyC2ZVsmTZQ8gIUsPG+N4KubNZxNLmUZIhaE47hbsWt1tVBddZ5lBq+XuVT7XoHsG3jC dtgrBWMS0RCSbXi3ZjlBGZXqL23kXPrTlSdN1XTo9ejvdd910r2srfX3zjDUziYvvwocp9hyK 3WwfBPnPI01t/vz0PVLN2NMpqnsDjQsr/0DNMI/95DawK/EvP5gY366aqBkiuDtMgqF0oddpq DzlNOK+KaeaSUPF9oadUZnZNKPR3h7wGaX7Bmq7PCk4nRBSOkhquhRtSZ9LbjgbyjOR06t48K fKqmSIgNNCXYozdyRxM0Ma2XiR4n5ap3/HIZP2iMF9T0qsj7UcmTsMgVmzqT3sPU4Uw5UABVB 0mzo8WaG1M4NKaK/8rBSSjJyt+uAqa0q8JpUDmBperp/ZfT8i+pEqajW7j+sD/wOTMqTUglpl l4ShNofp5ZMhHMCzy/t79TJuNW6eXX+VLUhZAfjJAGVNCqyoYXUxuJw56wUn84NL9Cqsc5Ki5 7q5ZsgrjKgRkHmtoMjjdDZ0cxMnMnSpuI+9uhzlZjkWFzK6ltBzGdpcyB69VmzQimOIKRJHA4 H7udI7pbmIVQmS6S/YiWt5IYAGfrCPJJGjVmlUS551ynmj7QN/3TEMaR1gizpHrER2rlbUPL2 7s0TXUwlNZXQqArsTHc7GmdN/VEVx3+37qsyjgL5pi1mB6h7+bg+n9+YdT+xqyGpTemVqCn1F ao+mfnwnJvVc5GK3rR5sSdrqysB/yj76h2WA9LbTB2r2sYY5RQ7sduJNtAAfF7VANzfQSnsw/ m9Zp7D/FGUDqb9iKgaIWAh6UVyNloPUlQAkl4ypNrGB2yKAez3e1ChtOYpRNdMYtg1GzCJDuW 7oKXBj/0yIJodh7Tj3H41scAZYIbdrvzD2X8BwUOjRxoclMUxjGga3pcQm+UOWx/tMAlGrPAe P2WdS+Y8qXQaNuA7kpop4qN1tDsIaARz0rP/k/3R1qHlEItibe6QjWUmrplG2vgJVToz+12LG /vlB2E7W6by9FvHQ2f8k9cHvSsCGdle35xSd/JyHBbqHbdaqQt+X2aCx8TbIqvGNCxzv4LyPK yC3ewcB7SyMwx6s4Lb3IzjMaWzfnkOFBD5GpxBF3/y3FqFWDY3Csj9tUB2+q684h3Cu+84GWU H3Ahuef6ifPYgkpzrJXIt0ArVZpNr2MU2WRgbPA1nP80eXZ8zhxfOIUQPMukYKfVCRcBlqusY ybwL6mM+Zfe/c8a9uUDxvA9a1NVL1x8BTfYgZxf98Di4OFr5KBEOWROKuKlm6uxQTLmGxEFRJ 4lGaOf+o7lonpuhZZICA2myVmPbByHWVOJx/VSiQ8zZw5yUMM9hLpNGoVGO7yd+3g+GrCSjKD 4Yk/p5gi8XJELeKW77s/cI+qmrrXjtE4FhH+YRz2jNFl7TuGOEiUjHBQVE2aP6Hcp0fQj+PZE 2BpLJT6CLvDiPPfN/xDhas+o0nEX47hgxJl6I1WylqN2ap9h7GQ8HevdcKMnC9qzCGbB81FYX nGM+EEqepMqw1sk/Snau+THE4D9gz8rv/eHwyl7bc5XZlks+iVplvFm0aRw4BLRvXafVGxtpQ Ueuh2ET3KQfdGWeSQ0prVMQDOkx0t9Iriu0qq0NE+MKAqe7Tflif6jOHf3M/lRQ0zUHh+nWa+ 8lRuCrXID29LLE76hxlNeYcxbC0yyBTkP5SZFbdkUEAaaaaWakfze+8WxqwILf5fH6cuCOLd7 oMge6Qwtz7IP+duoVYY+nvcDcTeLnj57pt1EXriluyEHxJda+fXjzPHcXgce1DPcC4NQC/Nbv XTKWKPa8zK/NEtWHpY9URUf5WX4r6xIS6eZ/ktjRW5rlCgcCwbXsPalE6xH1x7k/KEp2k6IaT Jpw/vo3qXfCRIJck3NncWU418I0pl+rX5Pnv90Wpy+iECFFQ3p9bhBBKrNPOBikxJCX/SXv0T s2ft2qYa6LbwvVnJSlUS58UlNnnhT3BQfaoyTS7Es7qaaZo2Ebg X-UI-Loop:V01:tpZRU3CuAxQ=:wtxDwBOOFrmZnx4AQBcxSM0uxET3YIw3anoXmS0XNvQ= X-UI-Out-Filterresults: notjunk:1;V01:K0:qq8B0SR0X6k=:ifPEnxb/hWuk4Cp/Tm8Y60 p5SBrZf7uNTAOPMp+vHuFhNey0CtP3OYRIljr77JQXmQKVn90u902PIrlssLFAt3Js4FN3YHd xWfiiWYXU5QOa/qnhD9y6/mE/4mThGFgHXUAyAAd80XE5fkRlOkaVO0mIXchj5WytgAl3mQPB folwQppQNxZbEuRjvELCzdc3Ox6NVoVlosiu8wWHv8HuMInDtuR24GCMV+pp7ofeaisL3FBzA vUcKGJCDDX4lA5yhinju+JEemSqAHtNFrwuaJQ2ma5gACJJwLl5f51ddOikzfJjPPaNDvVtau T1b4WxW0cc+UR6Mxh/CNe0a4sVoUHYgvSlb+V/ODHKnU/SQ04yUrBbqMWZOj95qlhuNwGVeeQ hKQrOVJdcK9SHdA368qFM34YLcRn9VvYfGqljqjknoxCtjtM4loGUjNOuPGz81KQxUiMVY6gt aSnFocLDRnTvioRIMbVDIIifNxwMW5A= X-Scanned-By: MIMEDefang 2.78 on 81.169.212.23 Status: R X-Status: X-Keywords: X-UID: 8070 This is a multi-part message in MIME format. --------------DA4763BF4CBE758DD7CF0EE5 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Jonathon, You might have had more responses if you had posted to https://tex.stackechange.com Peter W. On 24/08/18 18:10, Jonathan Fine wrote: > Hi Joseph > > Thank you for your email on l3sys-shell. You wrote: > > There are two broad questions we have. First, how do people feel > about these concepts? We can see that there may be some security > concerns, hence not adding directly to the expl3 core. However, as > one has to be running with unrestricted shell escape anyway, we > are not sure if providing macro wrappers makes these worse: > > > I'm not a security expert. Are you, Joseph? In any case, I've asked > your question on stack exchange, and put a code review comment on > github. Here's the URLs > > * https://security.stackexchange.com/questions/192249/concerns-about-latex-3-shell-escape-code > * https://github.com/latex3/latex3/commit/7b62e64dde239f9cb6ae0f08400c0b5ccde815d8#diff-09def3f98d60fce78fbcc00e77c65795R3093 > > I hope you'll get a useful response from a security expert. > > best regards > > Jonathan --------------DA4763BF4CBE758DD7CF0EE5 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit

Jonathon,

You might have had more responses if you had posted to https://tex.stackechange.com

Peter W.


On 24/08/18 18:10, Jonathan Fine wrote:
Hi Joseph

Thank you for your email on l3sys-shell. You wrote:

There are two broad questions we have. First, how do people feel about these concepts? We can see that there may be some security concerns, hence not adding directly to the expl3 core. However, as one has to be running with unrestricted shell escape anyway, we are not sure if providing macro wrappers makes these worse:

I'm not a security expert. Are you, Joseph? In any case, I've asked your question on stack exchange, and put a code review comment on github. Here's the URLs
I hope you'll get a useful response from a security expert.

best regards

Jonathan

--------------DA4763BF4CBE758DD7CF0EE5--