SECURITY: vulnerability in PDF export

Skip to first unread message

John MacFarlane

Aug 12, 2021, 2:29:24 AM8/12/21

Augustin Laville has alerted me to a serious security
vulnerability affecting gitit instances that enable
pdf-export. (This is disabled by default, so this only
affects you if your config file has pdf-export: yes.)

The problem is that raw LaTeX include statements
on markdown wiki pages can be passed through to the
LaTeX intermediary that is used to produce the PDF,
causing the LaTeX program to read an arbitrary file
on the file system and leak its details to the exported
PDF. (e.g., \include{/etc/passwd})

For now, I urge anyone who is using pdf-export to
disable it until a fix is ready. I have found a way
to block this vulnerability and plan to put out a new release

John MacFarlane

Aug 12, 2021, 3:56:17 PM8/12/21

gitit has now been released.

It includes a security fix which prevents latex from
including files above the current tree. If you are
using pdf export, please upgrade immediately.

It also builds with the latest pandoc.

Support for older ghc versions (< 8.6) has been dropped.
And ghc 9 is not yet supported, due to an issue in a
dependent library.
> --
> You received this message because you are subscribed to the Google Groups "gitit-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> To view this discussion on the web visit

John MacFarlane

Aug 12, 2021, 4:15:13 PM8/12/21

I've realized that there is still a vulnerability,
though now the leakage is limited to files in the
directory from which one runs gitit. If this contains
config files or user databases, these can be leaked.

Recommendation: disable pdf-export until a better
fix is available.

John MacFarlane

Aug 12, 2021, 4:46:13 PM8/12/21

I have now identified a further vulnerability of the
same nature, but not limited to pdf-export.

Recommendation: please take gitit wikis offline until
we can fix this.

John MacFarlane

Aug 12, 2021, 8:10:42 PM8/12/21

I have now released Everyone with a public
facing gitit instance should upgrade immediately.

This release removes the "Export" feature, which provided
several vectors for viewing contents of files on the file
system. Given my limited time for gitit development,
I have opted to remove the feature entirely, which should
remove these vulnerabilities.
Reply all
Reply to author
0 new messages