Is it safe to execute TeX code from untrusted sources?

Question

Is it safe to execute TeX code from untrusted sources?

MediaWiki allows you to embed TeX math code, which is displayed in images and published on Wiki pages. It's safe? If someone allows untrusted users to enter TeX programs that will be executed by an interpreter running on a web server, does he open the server for hacking using the TeX interpreter to read files from server disks? Is there a way to safely execute untrusted TeX code?

+6

web-applications latex tex

Arcane Jan 21 '09 at 10:01

source share

3 answers

If your TeX distribution uses the Kpathsea library (it probably does), see the security section in its documentation.

+2

Jouni K. Seppänen Jan 22 '09 at 7:24

source share

In theory, yes.
It depends on your TeX translator. If a security violation is detected in the interpreter used, and this security violation means that the user can execute arbitrary code, then you have a problem.

0

shoosh Jan 21 '09 at 22:09

source share

Jon ericson · Accepted Answer · 2009-01-21T22:17:54+0000

Obviously, TeX can open and write files using the usual operation, which is a possible attack vector. Putting execution in a sandbox or jail should take care of this.

Be sure to disable \write18 , which allows the TeX source file to execute OS commands. There is no reason to allow this mechanism.

As for the TeX interpreter itself, I would say that there is little to worry about that it probably has the least significant number of errors of any full-featured interpreter ever written. The other part of your stack will be much more significant.

Is it safe to execute TeX code from untrusted sources?

More articles: