[DVIPDFMx] [XeTeX] File name bug when using \includegraphics
Heiko Oberdiek
heiko.oberdiek at googlemail.com
Fri Oct 8 21:34:29 KST 2010
On Fri, Oct 08, 2010 at 08:30:36AM +0200, Heiko Oberdiek wrote:
> from the xetex at tug.org mailing list:
>
> there is again a security hole that allows calling arbitrary commands:
>
> On Fri, Oct 08, 2010 at 08:19:21AM +0200, Heiko Oberdiek wrote:
>
> [...]
> > I can confirm the bug under Linux for files in \special{PSfile=...}.
> > The problem is located in xdvipdfmx. Using the configuration
> > file dvipdfmx.cfg it constructs a command line for conversion to PDF.
> > The command line is then passed to the *shell* and the shell interprets
> > some characters in a special way.
> >
> > I strongly recommend to change the D option of dvipdfmx.def
> > by adding single quotes around arguments with user input, e.g.:
> >
> > D "rungs ... -sOutputFile=%o %i -c quit"
> >
> > to
> >
> > D "rungs ... '-sOutputFile=%o' -f '%i' -c quit"
> >
> > Unhappily single quotes will not work in Windows, AFAIK.
Akira reported in the xetex mailing list that this also works
in Windows.
Additionally dpx_file_apply_filter in dpxfile.c should avoid
calling system in the form that the shell is invoked.
dpxfile.c could first parse the command template and separates
the arguments (with quoting support). Then the arguments can
parsed for %i, %o, %b that are then replaced. Then execve can
be used to avoid the shell.
Yours sincerely
Heiko Oberdiek
More information about the dvipdfmx
mailing list