The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Malicious commands in LaTeX
 There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic. There was an error processing your request. Please try again. Standard view   View as tree
 10 messages

From:
To:
Cc:
Followup To:
Subject:
 Validation: For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon.

More options Aug 6 2008, 5:00 am
Newsgroups: comp.text.tex
From: Thomas Robitaille <n...@spam.com>
Date: Wed, 06 Aug 2008 10:00:25 +0100
Local: Wed, Aug 6 2008 5:00 am
Subject: Malicious commands in LaTeX
Hello,

I am currently designing a system for people to upload a LaTeX file
(conference proceedings) which is typeset on the web server. I allow
people to upload a tar.gz archive which contains the .tex file and

My question is, is there a way to run malicious code from within LaTeX?
For example, is it possible to run an 'rm' command from within LaTeX or
to execute scripts that may have been uploaded along with the figures &
bibliography?

Secondly, if this is possible, can it be prevented? Is it possible to
check for this?

Thanks for any help.

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 6 2008, 6:21 am
Newsgroups: comp.text.tex
From: t.m.trzec...@gmail.com
Date: Wed, 6 Aug 2008 03:21:37 -0700 (PDT)
Local: Wed, Aug 6 2008 6:21 am
Subject: Re: Malicious commands in LaTeX

Thomas Robitaille wrote:
> My question is, is there a way to run malicious code from within LaTeX?
> For example, is it possible to run an 'rm' command from within LaTeX or
> to execute scripts that may have been uploaded along with the figures &
> bibliography?

In TeX you can call out to system with \write18. This is disabled by
default and is activated only by explicitly giving '-enable-
write18' (MiKTeX) or '-shell-escape' (TeXLive) switch to (La)TeX.

That being said, \write18 can be enabled from the document by putting
on the very first line:

%& -enable-write18

> Secondly, if this is possible, can it be prevented? Is it possible to
> check for this?

Parsing of the first line for additional options is enabled by
default. You can prevent it with 'dont-parse-first-line' (MiKTeX) or
'no-parse-first-line' (TeXLive) switch.

to current directory/subdirectories somewhere in the configuration
files of TeX but I don't remember exactly which file you have to edit.
This will break, however, documents containing something like this:

\input{../dir/subdir/file.tex}

Cheers,

Tomek

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 6 2008, 7:38 am
Newsgroups: comp.text.tex
From: "Steve Mayer" <mayer at dial dot pipex dot com>
Date: Wed, 6 Aug 2008 12:38:43 +0100
Local: Wed, Aug 6 2008 7:38 am
Subject: Re: Malicious commands in LaTeX

> My question is, is there a way to run malicious code from within LaTeX?
> For example, is it possible to run an 'rm' command from within LaTeX or
> to execute scripts that may have been uploaded along with the figures &
> bibliography?

Thomas, if you are interested in the reasoning behind the commands that are
blacklisted in LatexRender then email me directly and I will be happy to
pass on the advice that I received. However, LatexRender only deals with
small fragments of code so you may have to relax things a little for whole
documents, but at least it will give you somewhere to start.

Steve Mayer

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 6 2008, 4:30 pm
Newsgroups: comp.text.tex
From: Thomas Robitaille <n...@spam.com>
Date: Wed, 06 Aug 2008 21:30:31 +0100
Local: Wed, Aug 6 2008 4:30 pm
Subject: Re: Malicious commands in LaTeX
In article

Thanks for the advice - so if I just make sure that write18 is not
present in the document before typesetting, should I be safe from
malicious code execution?

Thanks,

Thomas

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 6 2008, 9:07 pm
Newsgroups: comp.text.tex
From: Scott Pakin <scott+...@pakin.org>
Date: Wed, 06 Aug 2008 19:07:04 -0600
Local: Wed, Aug 6 2008 9:07 pm
Subject: Re: Malicious commands in LaTeX

Thomas Robitaille wrote:
> Thanks for the advice - so if I just make sure that write18 is not
> present in the document before typesetting, should I be safe from
> malicious code execution?

So, does the following document contain a write18?

\documentclass{article}
\begin{document}
\lccodee=r\lccodeq=w\lccoder=t\lccodeu=i\lccodew=e
\let\ea=\expandafter\lowercase{\ea\global\ea\let\ea\trouble\csname
qeurw\endcsname}\newcount\maker\maker=9\multiply\maker by2
\immediate\trouble\maker{echo === GOTCHA ===}
\end{document}

Tomek: Does "%& -enable-write18" really work?  I haven't managed to get
"%& -shell-escape" to work in TeX Live, so I'm wonding if Thomas can in
fact be sure that building an untrustworthy document will not cause any
harm to his system.

-- Scott

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 8 2008, 9:42 am
Newsgroups: comp.text.tex
From: Walter Cazzola <cazz...@nospam.dico.unimi.it>
Date: Fri, 8 Aug 2008 15:42:25 +0200
Local: Fri, Aug 8 2008 9:42 am
Subject: Re: Malicious commands in LaTeX

On Wed, 6 Aug 2008, Steve Mayer wrote:
>> My question is, is there a way to run malicious code from within LaTeX?
>> For example, is it possible to run an 'rm' command from within LaTeX or
>> to execute scripts that may have been uploaded along with the figures &
>> bibliography?
> Thomas, if you are interested in the reasoning behind the commands that are
> blacklisted in LatexRender then email me directly and I will be happy to
> pass on the advice that I received. However, LatexRender only deals with
> small fragments of code so you may have to relax things a little for whole
> documents, but at least it will give you somewhere to start.

I'm quite curious too (even if I didn't need them at the moment) could
you share the blacklisted commands and the corresponding reasons in this
forum too?

Walter

--
Walter Cazzola, PhD - DICo, University of Milano           ICQ UIN: 66633601
email: cazzola (at) dico.unimi.it (or remove nospam. from the above address)
· · · ---------------------------- · · · ---------------------------- · · ·

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 8 2008, 4:56 pm
Newsgroups: comp.text.tex
From: Joseph Wright <joseph.wri...@morningstar2.co.uk>
Date: Fri, 08 Aug 2008 21:56:49 +0100
Local: Fri, Aug 8 2008 4:56 pm
Subject: Re: Malicious commands in LaTeX
Scott Pakin wrote:

> So, does the following document contain a write18?

>     \documentclass{article}
>     \begin{document}
>     \lccodee=r\lccodeq=w\lccoder=t\lccodeu=i\lccodew=e
>     \let\ea=\expandafter\lowercase{\ea\global\ea\let\ea\trouble\csname
>     qeurw\endcsname}\newcount\maker\maker=9\multiply\maker by2
>     \immediate\trouble\maker{echo === GOTCHA ===}
>     \end{document}

Clever, but does nothing without -enable-write18 (at least for me).

> Tomek: Does "%& -enable-write18" really work?  I haven't managed to get
> "%& -shell-escape" to work in TeX Live, so I'm wonding if Thomas can in
> fact be sure that building an untrustworthy document will not cause any
> harm to his system.

Works for me with MiKTeX 2.7, so your example gives

system(echo === GOTCHA ===)...executed.

in the log, in place of

system(echo === GOTCHA ===)...disabled.

without it.
--
Joseph Wright

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 8 2008, 5:22 pm
Newsgroups: comp.text.tex
From: t.m.trzec...@gmail.com
Date: Fri, 8 Aug 2008 14:22:51 -0700 (PDT)
Local: Fri, Aug 8 2008 5:22 pm
Subject: Re: Malicious commands in LaTeX
On Aug 6, 9:30 pm, Thomas Robitaille <n...@spam.com> wrote:

> Thanks for the advice - so if I just make sure that write18 is not
> present in the document before typesetting, should I be safe from
> malicious code execution?

I don't feel competent enough to make such statements. After all,
there might be some other tools involved in the process and who can
guarantee that there are no, say, exploitable bugs in them. But
write18 is certainly the easiest one to make use for malicious
purposes. You don't have to remove '\write18' commands from the
document, they won't take any effect unless this feature is explicitly
enabled. It should be enough to scan just the first line to check that
(or just disable parsing of the first line for additional parameters).
I don't know of any other way that this could be enabled from the
document.

Cheers,

Tomek

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 8 2008, 5:47 pm
Newsgroups: comp.text.tex
From: t.m.trzec...@gmail.com
Date: Fri, 8 Aug 2008 14:47:15 -0700 (PDT)
Local: Fri, Aug 8 2008 5:47 pm
Subject: Re: Malicious commands in LaTeX
On Aug 7, 2:07 am, Scott Pakin <scott+...@pakin.org> wrote:

> Tomek: Does "%& -enable-write18" really work?  I haven't managed to get
> "%& -shell-escape" to work in TeX Live, so I'm wonding if Thomas can in
> fact be sure that building an untrustworthy document will not cause any
> harm to his system.

It does work, at least on MiKTeX 2.7. I tested it before posting. But
you're right, it doesn't work on TeXLive, so perhaps it's an
unintended security loophole.

BTW, it seems that MiKTeX accepts a lot of TeXLive's switches,
including '-shell-escape', although this is nowhere documented.

Cheers,

Tomek

To post a message you must first join this group.
You do not have the permission required to post.
More options Aug 8 2008, 6:01 pm
Newsgroups: comp.text.tex
From: "Steve Mayer" <mayer at dial dot pipex dot com>
Date: Fri, 8 Aug 2008 23:01:29 +0100
Local: Fri, Aug 8 2008 6:01 pm
Subject: Re: Malicious commands in LaTeX
"Walter Cazzola" <cazz...@nospam.dico.unimi.it> wrote in message

news:Pine.LNX.4.64.0808081540490.5809@ulik.disi.unige.it...

On Wed, 6 Aug 2008, Steve Mayer wrote:
>> Thomas, if you are interested in the reasoning behind the commands that
>> are
>> blacklisted in LatexRender then email me directly and I will be happy to
>> pass on the advice that I received. However, LatexRender only deals with
>> small fragments of code so you may have to relax things a little for
>> whole
>> documents, but at least it will give you somewhere to start.
> I'm quite curious too (even if I didn't need them at the moment) could
> you share the blacklisted commands and the corresponding reasons in this
> forum too?
> Walter

You can see for yourself the blacklisted code as it's in the LatexRender
files downloadable from CTAN and elsewhere, but I don't have the permission
of the author of the advice to post the reasons in a public forum I'm
afraid. Hence the request for an email.

Steve Mayer