SafeTeX? Formula insertion by untrusted individuals

34 Aufrufe
Direkt zur ersten ungelesenen Nachricht

Danilo Segan

ungelesen,
27.10.2002, 14:13:4427.10.02
an
Is there any existing macro package that is good enough of rendering
all the mathematical formulae, yet prohibits all the dangerous tricks
with TeX?

Some of the void tricks include
\output={\unvbox255\setbox0=\vbox{a}\shipout\box0}, \def\a{\a}\a, and
of course unpriviledged \input's, \read's, \write's, \openin,
\openout, \catcode games, and anything else I have missed.

Of course, page breaking and that sort of stuff should be prohibitted:
just enough of TeX to render formulae to PostScript using TeX syntax
(that's a must).

The reason I need this is to make formulae insertion possible in one
web-based forum. Because of the portability, MathML is still out of
the question.

I already started writing a macro package like this (to prohibit
anything that's unneccessary), but just wondered if there is a ready
solution to this.

I am removing "unneeded" parts of Plain TeX, adding some trivial LaTeX
constructs like \frac in terms of \over, and disabling \def's (with
\let\def=\edef, thus limiting the possibilities, but it's not really
needed in formula insertion). \output is being set after the formula
to force it.

Any help, hint greatly appreciated (is there a preexisting package, am
I missing something, etc.).

Thanks,
Danilo Šegan

Torsten Bronger

ungelesen,
27.10.2002, 15:18:2627.10.02
an
Halloechen!

Danilo Segan wrote:

> Is there any existing macro package that is good enough of rendering
> all the mathematical formulae, yet prohibits all the dangerous tricks
> with TeX?
>

> [...]

>
> The reason I need this is to make formulae insertion possible in one
> web-based forum. Because of the portability, MathML is still out of
> the question.

You can easily transform MathML to LaTeX, e.g. with XSLT.

Tschoe,
Torsten.

--
Publish for web *and* print output: Visit
the tbook program at http://tbookdtd.sourceforge.net

mm0...@alas.matf.bg.ac.yu

ungelesen,
27.10.2002, 13:38:1527.10.02
an
*** post for FREE via your newsreader at post.newsfeed.com ***


Is there any existing macro package that is good enough of rendering all
the mathematical formulae, yet prohibits all the dangerous tricks with TeX?

Some of the void tricks include

\output={\unvbox255\setbox0=\vbox{a}\shipout\box0}, \def\a{\a}\a, and of
course unpriviledged \input's, \read's, \write's, \openin, \openout,
\catcode games, and anything else I have missed.

Of course, page breaking and that sort of stuff should be prohibitted:
just enough of TeX to render formulae to PostScript using TeX syntax
(that's a must).

The reason I need this is to make formulae insertion possible in one

web-based forum. Because of the portability, MathML is still out of the


-----= Posted via Newsfeed.Com, Uncensored Usenet News =-----
http://www.newsfeed.com - The #1 Newsgroup Service in the World!
-----== 100,000 Groups! - 19 Servers! - Unlimited Download! =-----

Danilo Segan

ungelesen,
28.10.2002, 05:49:2328.10.02
an
Torsten Bronger <bro...@physik.rwth-aachen.de> wrote:
>
> You can easily transform MathML to LaTeX, e.g. with XSLT.
>

So I know, but since it will be humans entering formulae in Plain TeX
(or LaTeX if insisted on; MathML for input is clearly out of
question),
which should render properly, I could use a tool which would translate
the (La)TeX input to MathML, then translate MathML back to (La)TeX to
produce a graphic image for serving the page.

Actually, the main point I am bringing is security, next to lot of
options: I need either improper control sequences invalidated and
simply ignored, but want to keep some possibilities of TeX (def's and
stuff, since users will be at least a bit proficient in TeX).

Of course, another solution is parsing the code in front, and any
sequences not in the "allowed" list being removed.

I am also looking for the minimal restrictions possible: I want even
to let users use \font, \countX, and all the other stuff that is not
directly pertinent to (in)security (though the font usage could be
argued).

But, I'd also like to avoid any extensive preprocessing (when we add
it to TeX it might be quite a load on the server).

Anyway, thanks for your suggestion!

Danilo Šegan

PS. Sorry for multiple posts and private posts!

Peter Schmitt

ungelesen,
28.10.2002, 09:07:0928.10.02
an
On 28 Oct 2002, Danilo Segan wrote:

> Torsten Bronger <bro...@physik.rwth-aachen.de> wrote:
>
> Actually, the main point I am bringing is security, next to lot of
> options: I need either improper control sequences invalidated and
> simply ignored, but want to keep some possibilities of TeX (def's and
> stuff, since users will be at least a bit proficient in TeX).
>
This is rather easily achieved:
\let\write\relax (or \undefined)
will make \write inaccesible,
at least in plain TeX.
In LaTeX you have to look for synonyms
(introduced for similar reasons, e.g., in order to hide \over)
introduced earlier (using \let, e.g. \let\@@over\over)
to hide some primitives.

--
Peter Schmitt Peter....@ap.univie.ac.at

Danilo Segan

ungelesen,
28.10.2002, 15:57:1328.10.02
an
Peter Schmitt <sch...@ap.univie.ac.at> wrote:
> This is rather easily achieved:
> \let\write\relax (or \undefined)
> will make \write inaccesible,
> at least in plain TeX.
> In LaTeX you have to look for synonyms
> (introduced for similar reasons, e.g., in order to hide \over)
> introduced earlier (using \let, e.g. \let\@@over\over)
> to hide some primitives.


As I already covered in my first post, (Google archives it at
http://groups.google.com/groups?threadm=b5839728.0210280249.11280f26%40posting.google.com
, check the first message in the thread), there is a lot more to it
than that.

There are infinite loops via \def's, and \output's, and probably a
whole lot more.

Also, I believe it would be wiser to \let\catcode=\nonexistant, so the
user wouldn't be able to \catcode`\@=11 or whatever. Then I would not
need to disallow every "private" control sequence.

But the thing is I am looking to avoid going through all the TeX
primitives one at a time (asterisks next to them in TeXbook appendix
:), let alone each and every sequence LaTeX introduces.

If it cannot be avoided, well... I'll dive into it.

Thanks for your response,
and all the best!

Danilo

Scott Pakin

ungelesen,
28.10.2002, 16:05:5028.10.02
an
Danilo Segan wrote:
> But the thing is I am looking to avoid going through all the TeX
> primitives one at a time (asterisks next to them in TeXbook appendix
> :), let alone each and every sequence LaTeX introduces.

CTAN:info/plain.csname.txt may save you some time.

-- Scott

Jim Hefferon

ungelesen,
28.10.2002, 16:12:3528.10.02
an
mm0...@alas.matf.bg.ac.yu (Danilo Segan) wrote

> Some of the void tricks include
> \output={\unvbox255\setbox0=\vbox{a}\shipout\box0}, \def\a{\a}\a, and
> of course unpriviledged \input's, \read's, \write's, \openin,
> \openout, \catcode games, and anything else I have missed.
>
Are you aware of \write18 ? If not, look it up on groups.google.com.

I'd be interested in what you end with.

Jim Hefferon

David Kastrup

ungelesen,
28.10.2002, 16:52:2428.10.02
an
jhef...@smcvt.edu (Jim Hefferon) writes:

> mm0...@alas.matf.bg.ac.yu (Danilo Segan) wrote
> > Some of the void tricks include
> > \output={\unvbox255\setbox0=\vbox{a}\shipout\box0}, \def\a{\a}\a, and
> > of course unpriviledged \input's, \read's, \write's, \openin,

^^^^^^^^


> > \openout, \catcode games, and anything else I have missed.
> >
> Are you aware of \write18 ? If not, look it up on groups.google.com.

Why?

--
David Kastrup, Kriemhildstr. 15, 44793 Bochum
Email: David....@t-online.de

Richard J Kinch

ungelesen,
28.10.2002, 17:08:2828.10.02
an
Danilo Segan writes:

> Any help, hint greatly appreciated (is there a preexisting package, am
> I missing something, etc.).

File security must be done outside of the TeX input. E.g., set TEXINPUTS
such that access is restricted to a given subdirectory.

Scott Pakin

ungelesen,
28.10.2002, 17:34:1828.10.02
an
Richard J Kinch wrote:
> File security must be done outside of the TeX input. E.g., set TEXINPUTS
> such that access is restricted to a given subdirectory.

The TeX code could still use an absolute pathname to wreak havoc.
However your premise is still valid; just replace "set TEXINPUTS" with
"run chroot".

-- Scott

David Kastrup

ungelesen,
28.10.2002, 18:14:3328.10.02
an
Scott Pakin <pa...@uiuc.edu> writes:

> Richard J Kinch wrote:
> > File security must be done outside of the TeX input. E.g., set
> > TEXINPUTS such that access is restricted to a given subdirectory.
>
> The TeX code could still use an absolute pathname to wreak havoc.

Not with the usual safety settings of web2c.

Robin Fairbairns

ungelesen,
28.10.2002, 18:58:5928.10.02
an

and of course, \openout (to prevent data being overwritten) and
\input and \openin (to prevent data leaking).

one can go on and on; personally i'm more persuaded by the (flawed)
idea of the java sandbox, and the rather more rugged constructions
that are coming out of operating systems research.
--
Robin Fairbairns, Cambridge -- the man with no voice (_again_)

Donald Arseneau

ungelesen,
28.10.2002, 21:32:2228.10.02
an
mm0...@alas.matf.bg.ac.yu (Danilo Segan) writes:

> Is there any existing macro package that is good enough of rendering
> all the mathematical formulae, yet prohibits all the dangerous tricks
> with TeX?
>

> The reason I need this is to make formulae insertion possible in one
> web-based forum.

So what possible activities are you trying to prohibit? It looks
like the main problem is overwriting files. For that, I would
just run TeX in a subdirectory with a small disk quota or on a
small partition. Make sure the executable has standard safety
configured (no \write18 extension, no write access out of the
sub-directory). Apply a cpu-limit to the process, or kill it
after a few seconds.

There are just too many ways to make TeX go into infinite loops
to prevent them all while maintaining good functionality.

Donald Arseneau as...@triumf.ca

Allen antworten
Dem Autor antworten
Weiterleiten
0 neue Nachrichten