Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by h2774747.stratoserver.net (8.15.2/8.15.2/Debian-3) with ESMTP id w7PKo644027580 for ; Sat, 25 Aug 2018 22:50:08 +0200 Received: from relay2.uni-heidelberg.de ([129.206.119.212]) by mx-ha.gmx.net (mxgmx115 [212.227.17.5]) with ESMTPS (Nemesis) id 1MibcN-1fQ8FD2sS7-00fTRP for ; Sat, 25 Aug 2018 22:50:00 +0200 Received: from listserv.uni-heidelberg.de (listserv.uni-heidelberg.de [129.206.100.94]) by relay2.uni-heidelberg.de (8.15.2/8.15.2) with ESMTP id w7PKo0K1031771; Sat, 25 Aug 2018 22:50:00 +0200 Received: from listserv (localhost [127.0.0.1]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id C52BC1274CE; Sat, 25 Aug 2018 22:49:58 +0200 (CEST) Received: by LISTSERV.UNI-HEIDELBERG.DE (LISTSERV-TCP/IP release 16.0) with spool id 29106578 for LATEX-L@LISTSERV.UNI-HEIDELBERG.DE; Sat, 25 Aug 2018 22:49:58 +0200 Delivered-To: LATEX-L@listserv.uni-heidelberg.de Received: from relay.uni-heidelberg.de (relay.uni-heidelberg.de [129.206.100.212]) by listserv.uni-heidelberg.de (Postfix) with ESMTP id B2E47125A0E for ; Sat, 25 Aug 2018 22:49:58 +0200 (CEST) Received: from mail-yb0-f175.google.com (mail-yb0-f175.google.com [209.85.213.175]) by relay.uni-heidelberg.de (8.15.2/8.15.2) with ESMTPS id w7PKnqpj012343 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Sat, 25 Aug 2018 22:49:55 +0200 Received: by mail-yb0-f175.google.com with SMTP id z12-v6so4723965ybg.9 for ; Sat, 25 Aug 2018 13:49:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=vF83SaE2x+WBtgJhYDGsR7UvXUQckMlvXpwx5mZasQw=; b=Mt+GA1Wmm2mrl77i6FDLIaz1SRSASglkxJgf5XhCQAxbTBhhqW5d8EVG/k69aRICIe gyCBT6ByDaWXRwltLy2aNh/+wbBRMA6KEWMu6XPLwmw5LSoUQZPIZZZaOx2GEQ9lb5GH 2JOArr1YvkYgWKlD9E5Yf2avAAkUl/0zMY51W2OqmZfpPfT5ineKbd6s9Ca5afbEG6rY QVShAeQiYfbpIbQ2554KSEZCXIVqqFoTu6H0yQinqEHmztBgFwxcDVLsU1HRwloSlOJq 4979TJRl7fcitT1u9NZyhPsDOc6URaHt8b7u+a/lxBEorl0PKcgi75Wn4/IPk95Cufb3 hrdg== X-Gm-Message-State: APzg51CaRJgbNqgAibmvnItTMEI6dvTOIMAcIhAQMToWO5axvxn+LAKN TuLrp2iKf9vxbAt3rBwZ9RFM5fhOG2W/rYd3WX0gb1RI X-Google-Smtp-Source: ANB0VdYej8jfk6HzObpz0ahYiIJmhG4M1vC+jKj/uuLQWaoRYxC/df1hJluY+yHNLg04o3XR9WR+LysHHkOWmKE6DUk= X-Received: by 2002:a25:bccc:: with SMTP id l12-v6mr3900289ybm.73.1535230191464; Sat, 25 Aug 2018 13:49:51 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a81:7784:0:0:0:0:0 with HTTP; Sat, 25 Aug 2018 13:49:50 -0700 (PDT) References: <7aac3298-e217-7dfe-6787-ad1b69f43fc4@morningstar2.co.uk> <5164150e-54e3-0f63-a2ac-09cc724dcf96@earthlink.net> Content-Type: multipart/alternative; boundary="00000000000035f40c057448a27b" Message-ID: Date: Sat, 25 Aug 2018 21:49:50 +0100 Reply-To: Mailing list for the LaTeX3 project Sender: Mailing list for the LaTeX3 project From: Jonathan Fine Subject: Re: System shell functions To: LATEX-L@LISTSERV.UNI-HEIDELBERG.DE In-Reply-To: <5164150e-54e3-0f63-a2ac-09cc724dcf96@earthlink.net> Precedence: list List-Help: , List-Unsubscribe: List-Subscribe: List-Owner: List-Archive: Envelope-To: X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3; X-UI-Filterresults: notjunk:1;V01:K0:WU6SxN8bWJY=:WfkiMqJd1fmlllHpy8I5yhXin4 lDMMpyE430aQLLQMhpZryCPdwH/+hBb/eBE6nEUTv+CI4+N+LseIE1CTE6eDDSHGgyUdA62D0 dX6T+bbArBQsclnX9h01i4q6xcH6g9Fw6sXI4TZsnVHBABy6iNhcfSkk3URW74JX+xyp7tFWH cEB/0cX2pjF7JJJOmpS9fm5USPFkx0KrrkiPmUIO3odv2CeU5fzps3fRSrNr5depNjKUwWol7 n1hfDIk4L/ukZCvdiQhGMeTZfXzaOF90dfDdbHv7F6CdzargRMlZePGvBVmJzLhp3Ftac83Fx e8hjjUk+mihsXd0jnxLeI7AxSCu8AfzSPibslU1GsQYhFGGqxAyJEsI/iLb1C2kajdJyFDmbl Bv240H8h2cYye5sbRSpKYacFpMz6fMzPgTLX6F+Dau1xtRw7oBaNorEvqFw3bkEHITzs6YvtA 1xVrTW918xQvRHu3Gq6C+s4xXCO0EjxsZiWAoFeedbO+wUT+MrqBbr/z9AensoW+qN5nEnoY2 Dw4XZORAOTBH/k8Cw5CKm7XxRoKn6NAYAfTRlcVFmu26mAkLKCCb6t3dBktv4PpFW2YsedbHa J+JeJjSQCKdUzsZJgIE3RMi8lSlgah8P+G6W4eHmcP8YJT7GZuHkxCbOvzGARfirGRDCx8CAS Mb5y8k60AOvAdOfrjYVeMBnnQ67i0m6skG9+LlbLgODG2dVLLMfjGHbOtUpteGaLg2c8UBTYh gKfyYc9a0u4/2Z0xez5qvVHEEzZkdQ+3/g+SzhRet39MDqWpJ43qEBa9hsN6UhknAJPKHMHyQ aSLRiH0ZKSUVuWzjG58pT1k3n9yp06NWWr+z7sq/ZUBwyzpJ88J2NqJn7SkcSWL+u+AyM+tWw 2BuxrAQIsqxp7DfFxYoGbIOc+v2UvdgR1nsA5Pt2zEFW+k4L9mGqMetOn1Xie31I8YXE0px2K gBfe/ZOq7OBAaj6t0McWfoYmCilQGj+i0XZRTt5aGgSFSb+yOHyLcnIlNOCxhxf9RaWa1EWA+ Fc2BK3ePF9JuZ8JD3rxZNuxblk//717a+SKiHL1hN9NrDQwaZPyG6NfagAj7OX+u6Wedx4et1 5ssOYrLGOSs5eBL/TbPoAjUgBwo4UXA0fZqBB9fQvNq7DTpaTxRkov/PG57FOp7SQj2aQQqzP iVSg7ZIt+tr1jwmxOlBgpNAhA/4zi/r+rUR79I6aOBm8Zv8uXatUQ9i0eM3N60YHrjR1kawLt AppbGV32FaUld97NNNd0+alPpzZO9bhAKeFvsucCSHbK9sJdjeSaNyVW8uNA2GOxBnW7VJD0C PhhemA1zz5TR966rStuCJF4IycKRoyeHCcvwFb+AnU1wqdaFuPznyYRxxjxu6I7P1j2We+C5p 03urYN9pud3sQ/lcM2YcnrsxXOupcKs/GHFd23LshJklWCcr4eVQFMJrN+GnXtGjNjrambjAO z8d0ypBUG16IkYuGAs1mmkV5enGosYbGv3Z0x3/5h4vKJTxgnzB6Q9Ra29Rq2lwrMy7KK7hUw FVvhtwBWzQ3sNzp1spOl4/KN02KBPI/SPiUCe4sGGDBsf5ksr105dAObGjMJ6E6pcR3lRI1Vi lkuOCtpoov9kJ5tsOrsCVIrpkaF48TTa+PNfo3C7vuDFkTkOjyKAuuwRwU1LmwBkhUpfk7Q2e IOD+FYU2lAWW4ab7hAiisWJ96XWBPcZVQYrCx3OxdpZoySh7BEeSEleHV+MIVDWrMtEcQf5IN 7TC+2uynyRLGxQ2aatnwTfjTHoy356LGqzom2Z8+TUPA9GMS7N6B4lySOR0M+uwvlbjq2I2il l+KlXAqzs7fsNaG3WNMcQxI3QpATUQkyAd4fQHjMXO3CJC5yF27GFxY0J7LjwltzzrZuwDcd8 JMja0Citoz/x+Ei+Gj94zWWFcBVY9WjUsni/pTYVuAABrNLLSLth1RQy93aUgoJUIedEaXWHj ETe6oAinbQrll+O7gXAmb1jx1sGH4h+3chvXLWEfnXti0ubblCS X-UI-Loop:V01:uy9sNcvkfgQ=:DUzahLwlbT+DbmoyEjk2XF6/PkBt0N+g9k5rQfISlcQ= X-UI-Out-Filterresults: notjunk:1;V01:K0:MTgr4KNttT0=:vCqP3D2IfELJW9QuyaAzNS OhE4jphNC9KhrC3awj9UgzdC1/tkFGO8sqF8u+UwrWSzzfLF+b7gG6fKIUwVTpYOild87GLIp 3zm6zvy/Y+M/DHVJDCuNjmX2Ny78dsTXMCPAjvXn3iiB5QjDYGfuelIFIlA2hmZarL/8oqGzW NBgo/HW39+gkJz/GJwNHI0SxTk8DDNPYoE66KnYYp4fEBPslMrJLNm0ZxltoMBGuO2D5lfi3p jLLHPRKY+BqfcNZwBeS5ks/KebDDZhzH/z+0t3we88RBnpsWLXFo5Qo9iOs5FTJz8vwrXwOI9 E1KKo4YjCGoKdIRAYdsusWyuuYMKoGXy28nkkUuceO0LsgiFdz/JbDDvzAVjtnhP8MWprmK84 BZ2DWbNCAenA2LrBLFm9soAhwYzjAO/cFTsX98/SBvMzfpBRkipabAV9edWchGpp1r1LhuPef aQNOWkHtQQP115JRVgJz3kLqaHg0Bhs= X-Scanned-By: MIMEDefang 2.78 on 81.169.212.23 Status: R X-Status: X-Keywords: X-UID: 8071 --00000000000035f40c057448a27b Content-Type: text/plain; charset="UTF-8" Hi Peter: I'm wanting to get responses from security experts, not TeX experts. Ideally, we want a security expert who's also a TeX expert. But if it's one or the other, this question needs a security expert. In other words, someone who understands: > https://xkcd.com/327 - the famous Bobby Drop Tables story. Bruno: Yes, my thoughts exactly, but better expressed. Thank you. And they could do much more than just remove a file. They could, probably, execute an arbitrary command. Something that might escalate the exploit. best regards Jonathan On Sat, Aug 25, 2018 at 9:24 PM, Peter Wilson wrote: > Jonathon, > > You might have had more responses if you had posted to > https://tex.stackechange.com > > Peter W. > > On 24/08/18 18:10, Jonathan Fine wrote: > > Hi Joseph > > Thank you for your email on l3sys-shell. You wrote: > > There are two broad questions we have. First, how do people feel about >> these concepts? We can see that there may be some security concerns, hence >> not adding directly to the expl3 core. However, as one has to be running >> with unrestricted shell escape anyway, we are not sure if providing macro >> wrappers makes these worse: > > > I'm not a security expert. Are you, Joseph? In any case, I've asked your > question on stack exchange, and put a code review comment on github. Here's > the URLs > > - https://security.stackexchange.com/questions/ > 192249/concerns-about-latex-3-shell-escape-code > > - https://github.com/latex3/latex3/commit/ > 7b62e64dde239f9cb6ae0f08400c0b5ccde815d8#diff- > 09def3f98d60fce78fbcc00e77c65795R3093 > > > I hope you'll get a useful response from a security expert. > > best regards > > Jonathan > > > --00000000000035f40c057448a27b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi

Peter: I'm wanting to get respon= ses from security experts, not TeX experts. Ideally, we want a security exp= ert who's also a TeX expert.

But if it's o= ne or the other, this question needs a security expert. In other words, som= eone who understands:
>=C2=A0https://xkcd.com/327=C2=A0-= =C2=A0the famous Bobby Drop Tables story.

= Bruno: Yes, my thoughts exactly, but better expressed. Thank you. And they = could do much more than just remove a file.

They c= ould, probably, execute an arbitrary command. Something that might escalate= the exploit.

best regards

Jonathan

On Sat, Aug 25, 2018 at 9:24 PM, Peter Wilson = <herrie= s.press@earthlink.net> wrote:
=20 =20 =20

Jonathon,

You might have had more responses if you had posted to https://tex.stackechange.com=

Peter W.


On 24/08/18 18:10, = Jonathan Fine wrote:
Hi Joseph

Thank you for your email on l3sys-shell. You wrote:

There are= two broad questions we have. First, how do people feel about these concepts? We can see that there may be some security concerns, hence not adding directly to the expl3 core. However, as one has to be running with unrestricted shell escape anyway, we are not sure if providing macro wrappers makes these worse:

I'm not a security expert. Are you, Joseph? In any case, I've asked your question on stack exchange, and put a code review comment on github. Here's the URLs<= /div>
I hope you'll get a useful response from a securit= y expert.

best regards

Jonathan


--00000000000035f40c057448a27b--