So...(sorry for English) lot of conversation about my plugin on your mailling list.
And also a bug report on sourceforge, related to your remark.
My message will be not complete (because it's 4.50 am here and that I
must be at school at 8am)
First of all, you speak of tex2im depandency. This is not needed since
version 0.3. Now I make the next system calls :
(yep, it's not a good way, for example if /tmp doesn't exist for example)
FILE_SOMETHING represent /tmp/gaimTeX.something
chdir("/tmp")
system("latex -interaction=nonstopmode " FILE_TEX)
system("dvips -o" FILE_PS " -E " FILE_DVI)
system("convert " FILE_PS " " FILE_PNG)
and finaly a I do a
system("rm -rf /tmp/GaimTeX.*") somewhere
If you can tell me where you find the tex2im depandancy (README,
INSTALL, ...) It can help me for remove it in the next version.
Now, about the security problem...
Yes, I know it's possible to have some problems with latex call. But If
someone send
$$\input{/etc/passwd}$$
he will see (at best) the local /etc/passwd file, and the receiver, the
local /etc/passwd. So not the same.
And in reality, he well see nothing. One of the (the principal?) author
of kopeteTeX (which is compatible, for respond to one of the first
question)(the develloper is Olivier Goffart) as given me an advice, that
was to blacklist some command.
I have blacklisted the same command than kopetetex, that is :
> #define NB_BLACKLIST (42)
> #define BLACKLIST
> {"\\def","\\let","\\futurelet","\\newcommand","\\renewcomment","\\else","\\fi","\\write","\\input","\\include","\\chardef","\\catcode","\\makeatletter","\\noexpand","\\toksdef","\\every","\\errhelp","\\errorstopmode","\\scrollmode","\\nonstopmode","\\batchmode","\\read","\\csname","\\newhelp","\\relax","\\afterground","\\afterassignment","\\expandafter","\\noexpand","\\special","\\command","\\loop","\\repeat","\\toks","\\output","\\line","\\mathcode","\\name","\\item","\\section","\\mbox","\\DeclareRobustCommand"}
So (in normal case) all of this command will not be "authorised"
(in fact, if you send a message like :
normal text \input in normal text $$equation$$ normal text $$equation $$
(or with the blacklisted command in the $$equation part$$) the message
_will not_ be transform using latex compiler. (with the is_blacklisted
function)
If some other command have to be blacklisted, I hear you.
If you have any suggestion with security problem (for example error in
my code, or latex hack to "eviter" (french word, don't know in English)
this security), you can continue the discussion here, I will read it.
Also other bug can be posted on sourceforge, for example.
Nicolas Schoonbroodt
signature.asc
Description: OpenPGP digital signature
