[tex-k] secure mode of dvips should be default
Sebastian Rahtz
sebastian.rahtz@computing-services.oxford.ac.uk
Sun, 3 Jun 2001 13:05:26 +0100
Thomas Esser writes:
> > Xdvi implements such a trusted list, sort of. If xdvi encounters a
> > PostScript file whose name ends in .Z or .gz or .bz2, and if the first
> > 2-3 bytes of the file are the correct magic bytes for the file type,
> > then xdvi will automatically pass the file through uncompress or gunzip
> > or bunzip2 before processing it. IMHO, dvips should do the same
> > (and TeX, likewise, when getting bounding box information).
> >
> > Comments, anyone?
>
> Even better would be to use libgz / libbz2 for decompression. No fork,
> no security problem.
The dvips in TeXlive does the same as xdvi, looking for .gz etc, and
calling the right program. I agree, its a security problem. I note
that I added in the source at the relevant point:
/* FIXME : use zlib instead of gzip ! */
:-}
if someone would like to fix this up, it would be great. since zlib is
already in place for pdftex and dvipdfm, should be easy. it just needs
a Real Programmer
r
sebastian