[DVIPDFMx] [XeTeX] File name bug when using \includegraphics
Heiko Oberdiek
heiko.oberdiek at googlemail.com
Fri Oct 8 21:38:44 KST 2010
On Fri, Oct 08, 2010 at 02:34:29PM +0200, Heiko Oberdiek wrote:
> On Fri, Oct 08, 2010 at 08:30:36AM +0200, Heiko Oberdiek wrote:
>
> > from the xetex at tug.org mailing list:
> >
> > there is again a security hole that allows calling arbitrary commands:
> >
> > On Fri, Oct 08, 2010 at 08:19:21AM +0200, Heiko Oberdiek wrote:
> >
> > [...]
> > > I can confirm the bug under Linux for files in \special{PSfile=...}.
> > > The problem is located in xdvipdfmx. Using the configuration
> > > file dvipdfmx.cfg it constructs a command line for conversion to PDF.
> > > The command line is then passed to the *shell* and the shell interprets
> > > some characters in a special way.
> > >
> > > I strongly recommend to change the D option of dvipdfmx.def
> > > by adding single quotes around arguments with user input, e.g.:
> > >
> > > D "rungs ... -sOutputFile=%o %i -c quit"
> > >
> > > to
> > >
> > > D "rungs ... '-sOutputFile=%o' -f '%i' -c quit"
> > >
> > > Unhappily single quotes will not work in Windows, AFAIK.
>
> Akira reported in the xetex mailing list that this also works
> in Windows.
>
> Additionally dpx_file_apply_filter in dpxfile.c should avoid
> calling system in the form that the shell is invoked.
> dpxfile.c could first parse the command template and separates
> the arguments (with quoting support). Then the arguments can
> parsed for %i, %o, %b that are then replaced. Then execve can
> be used to avoid the shell.
I forgot an alternative (but I would prefer avoiding system()).
* rejecting file names with backticks and quotes.
Yours sincerely
Heiko Oberdiek
More information about the dvipdfmx
mailing list