texlua-based tool and restricted shell escape
Norbert Preining
norbert at preining.info
Wed Feb 21 06:39:13 CET 2024
Hi Jonathan,
On Tue, 20 Feb 2024, Jonathan Fine wrote:
> Is there anyone from the arXiv reading this thread? It would be a shame if
Yes, me.
> this feature delayed the deployment of tagged PDF via Latex. Or in any
> other way caused difficulty for the arXiv's very important typesetting
> service.
Tagged PDF is still a long long way into the future. We just had the
DEIMS conference in Tokyo, and had lots of discussions with Frank on the
future of tagged PDF.
arXiv is for now going a separate way by using LaTeXML to convert to
HTML, which has the best support for visually impaired users.
> I'd be wary of running third party Latex files that could export via PDF
> important information about the system that is typesetting the files. For
The generation of PDFs is tightly guarded and compartmentalized.
> If there's anyone on the arXiv reading this, I'm all ears for what they
> have to say.
We are aware of the problems, since long.
And TL2024 will even increase security.
On Tue, 20 Feb 2024, Jonathan Fine wrote:
> Subject: Don’t take LaTeX files from strangers
> https://www.usenix.org/system/files/login/articles/73506-checkoway.pdf
Very very old.
> Much to my surprise I found a reference to MathTran, a service I created
> over 15 years ago. The article wrote: The one previewer we were unable to
> attack, MathTran, uses Secure plain TeX, a reimplementation of plain TeX
> that prevents using any control sequence other than those meant for
> typesetting.
Which unfortunately is not a possible approach on any real service, like
arXiv.
Best regards
Norbert
--
PREINING Norbert https://www.preining.info
arXiv / Cornell University + IFMGA Guide + TU Wien + TeX Live
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
More information about the tex-live
mailing list.