Uwe Brauer wrote:
Christian Ridderström wrote:
On Mon, 22 Sep 2008, Uwe Brauer wrote:
> This solution exists. See here for instance
> http://www.pmwiki.org/wiki/Cookbook/PublishPDF
Having read this again, it seems to be that you cannot directly write
Latex or Lyx input into the wiki which is then converted. You have to
start with some wiki dialect, is this correct?
Correct. It converts wiki (via XML, then LaTeX) to PDF. Please note
that allowing plain, arbitrary LaTeX to be parsed on an open wiki is a
security risk.
why is this so, what a pity that would be ideal for collaboration.
Because running latex on unrestricted input in practice lets you
do anything you can do with a program. Want to plant a virus program?
Embed the virus in latex code as a string of bytes, then add some
trivial latex code to (1) write the virus to a disk file, and (2)
execute that file somehow. Or maybe executing it isn't even necessary
if it gets published on the wiki where unsuspecting people will
stumble across it.
There are ways around this, such as:
* Verify the latex code, but that is almost impossible to do.
* Use a password protected system where only trusted users have access.
They will not abuse latex per definition - they are trusted.
Fine for collaboration within an organisation, not so fine for
something as open as a public wiki.
* Set up the latex parsing very carefully, perhaps using a chroot
where only the necessary latex files are available, and all read-only.
Run it under a special userID that isn't used for anything else.
Take care to set up quotas and ulimit. Set up a timer that kill
the latex run if it takes "too long".
The setup is now safe - even the most diabloical programmer cannot
abuse latex worse than wasting some disk space and cpu time within
the set limits. And the disk space is supposedly freed up when
latex is finished. Well, they can still cause network traffic, such
as running DOS/cracking attacks against other hosts within the time
limit. Maybe there is a way of removing network access too. :-/
Helge Hafting
