Reputation: 1228
Can TeX code be safely executed from untrusted sources?
MediaWiki allows one to embed TeX math code that is rendered into images and posted into the Wiki pages. Is this safe? If one allows untrusted users to input TeX programs to be executed by an interpreter running in a web server, does it open the server up to being hacked by using the TeX interpreter to read files from the server's disks? Is there a way to execute untrusted TeX code safely?
Upvotes: 6
Views: 452
Answers (3)
Reputation: 44142
If your TeX distribution uses the Kpathsea library (it probably does), see the Security section in its documentation.
Upvotes: 2
Reputation: 21525
Obviously TeX is able to open and write files through normal operation, which is a possible attack vector. Putting the execution into a sandbox or jail should take care of that.
Be sure to disable \write18, which allows a TeX source file to execute OS commands. There's no good reason to allow that mechanism.
As for the TeX interpreter itself, I'd say there is very little to worry about as it likely has the least significant bug count of any full-featured interpreter ever written. Some other part of your stack will be a far bigger target.
Upvotes: 4
Reputation: 79011
In theory, yes.
It depends on your TeX interpreter. If a security breach is found in the interpreter you're using and that security breach means that a user can execute arbitrary code then you have a problem.
Upvotes: -1
Related Questions
- How robust is online sourcing of js scripts, and best practices
- Can I use WebAssembly to safely execute untrusted user code within my web app?
- I need to run untrusted server-side code in a web app - what are my options?
- Securely Embeddable code in Websites
- How safe is code hosted elsewhere
- executing third party javascript (served from some DB) in a safe way
- Security concerns with compiling latex dynamically on a web server
- How can I safely run untrusted Java applications?
- Securing SSJS against unverified code
- LaTeX security considerations