security concern with setlist arguments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Rubber |
Fix Released
|
High
|
Sebastian Kapfer |
Bug Description
First, I am thrilled that it is now possible to use rubber with documents
that require the latex -shell-escape flag. Nice work!
I do want to note a concern, though, with using 'setlist arguments' as the
mechanism to pass this flag to latex. The reason the -shell-escape flag
exists in the first place is that the feature it provides is a security
risk, so latex places the burden on the user to explicitly enable it from
the command line, instead of having it on by default, or providing means
by which it can be enabled from within the file.
Rubber provides the magic syntax for setting this within the .tex file
itself, namely:
% rubber: setlist arguments --shell-escape
This magic syntax is a great convenience to latex authors, but it also
introduces the security risk where a malicious .tex file could be used as
an attack vector.
If the rubber developers agree that this is a security concern that should
be addressed, I propose the following alternative:
* Disallow the use of '-shell-escape' with 'setlist arguments'
* Add a command line option to rubber by which the user can explicitly
enable this feature. (like --shell-escape)
Thank you.
Changed in rubber: | |
milestone: | 1.2 → none |
status: | Fix Committed → Fix Released |
Valid argument against enabling shell escapes `modeline' style