teximg: Make TeX handle preventing unsafe things; remove insufficient blacklist

TeX has configuration options that prevent unsafe things like shell
escapes and insecure file reads/writes.  Turn all of them on.

teximg's regex-based blacklist does not suffice.  For instance:

[[!teximg code="""
\catcode`\%=0
%input{/etc/passwd}
"""]]

Remove the blacklist, since the TeX configuration options seal off the
underlying mechanisms more safely, and the blacklist blocks other TeX
commands that can prove useful.

diff --git a/IkiWiki/Plugin/teximg.pm b/IkiWiki/Plugin/teximg.pm
index dba5372b5fee98c33cf044e3b28024c53033649a..f92ed01326b7df203b59e4e05e423ce4f6f8209f 100644 (file)
--- a/IkiWiki/Plugin/teximg.pm
+++ b/IkiWiki/Plugin/teximg.pm
@@ -69,13 +69,7 @@ sub preprocess (@) {
        if (! defined $code && ! length $code) {
                error gettext("missing tex code");
        }
-
-       if (check($code)) {
-               return create($code, check_height($height), \%params);
-       }
-       else {
-               error gettext("code includes disallowed latex commands")
-       }
+       return create($code, check_height($height), \%params);
 }
 
 sub check_height ($) {
@@ -155,7 +149,7 @@ sub gen_image ($$$$) {
        my $tmp = eval { create_tmp_dir($digest) };
        if (! $@ &&
            writefile("$digest.tex", $tmp, $tex) &&
-           system("cd $tmp; latex --interaction=nonstopmode $tmp/$digest.tex > /dev/null") == 0 &&
+           system("cd $tmp; shell_escape=f openout_any=p openin_any=p latex --interaction=nonstopmode $digest.tex < /dev/null > /dev/null") == 0 &&
            # ensure destination directory exists
            writefile("$imagedir/$digest.png", $config{destdir}, "") &&
            (($config{teximg_dvipng} &&
@@ -191,34 +185,4 @@ sub create_tmp_dir ($) {
        return $tmpdir;
 }
 
-sub check ($) {
-       # Check if the code is ok
-       my $code = shift;
-
-       my @badthings = (
-               qr/\$\$/,
-               qr/\\include/,
-               qr/\\includegraphic/,
-               qr/\\usepackage/,
-               qr/\\newcommand/, 
-               qr/\\renewcommand/,
-               qr/\\def/,
-               qr/\\input/,
-               qr/\\open/,
-               qr/\\loop/,
-               qr/\\errorstopmode/,
-               qr/\\scrollmode/,
-               qr/\\batchmode/,
-               qr/\\read/,
-               qr/\\write/,
-       );
-       
-       foreach my $thing (@badthings) {
-               if ($code =~ m/$thing/ ) {
-                       return 0;
-               }
-       }
-       return 1;
-}
-
 1

diff --git a/debian/changelog b/debian/changelog
index 9926925660349a0d1688e19441454a44988372c9..a5b07aac167a3bad980b7fca531b25da019cf163 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
 ikiwiki (3.1415926) UNRELEASED; urgency=low
 
+  [ Joey Hess ]
   * po: Detect if nowrapi18n can't be passed to po4a, and warn about
     the old version, but continue. Closes: #541205 
   * inline: Avoid use of my $_ as it fails with older perls.
@@ -40,6 +41,10 @@ ikiwiki (3.1415926) UNRELEASED; urgency=low
   * img: Don't generate new verison of image if it is scaled to be
     larger in either dimension.
 
+  [ Josh Triplett ]
+  * teximg: Replace the insufficient blacklist with the built-in security
+    mechanisms of TeX.
+
  -- Joey Hess <joeyh@debian.org>  Wed, 12 Aug 2009 12:25:30 -0400
 
 ikiwiki (3.141592) unstable; urgency=low