System queries with Lua: l3sys-query
Joseph Wright
joseph at texdev.net
Wed Mar 6 07:20:07 CET 2024
On 05/03/2024 23:34, Karl Berry wrote:
> Do I understand correctly that the key safety bit is:
>
> -- Look for absolute paths or any trying to leave the confines of the current
> -- directory: this is not supported.
> if match(spec,"%.%.") or
> match(spec,"^/") or
> match(spec,"^\\") or
> match(spec,"[a-zA-Z]:") then
> return
> end
>
> That looks ok to me. And when I tried running it, I got back the
> expected blank line for anything untoward.
Yes, at least at present. This is likely overkill as it means that one
can't list anything outside the pwd, even though that is possible with
normal security settings for the TeX run. The plan is ideally that
rather than worry about this in l3sys-query, a more general setup for
texlua gets agreed (Marcel is I believe on it). Then we'll have a
situation where loading the appropriate module means that lfs isn't an
issue, and things 'just work'.
But to get things going and not to have to worry so much, we started
more restrictive.
> I have a number of non-security comments, but will write those up later
> today or tomorrow. Wanted to send this off now. --thanks, karl.
I look forward to them.
Joseph
More information about the tex-live
mailing list.