6

MediaWiki allows one to embed TeX math code that is rendered into images and posted into the Wiki pages. Is this safe? If one allows untrusted users to input TeX programs to be executed by an interpreter running in a web server, does it open the server up to being hacked by using the TeX interpreter to read files from the server's disks? Is there a way to execute untrusted TeX code safely?

Arcane
  • 1,230
  • 1
  • 8
  • 15
  • Same question on TeX.SE: [online - How can I safely compile other people's LaTeX documents? - TeX - LaTeX Stack Exchange](https://tex.stackexchange.com/questions/10418/how-can-i-safely-compile-other-peoples-latex-documents) – user202729 Jun 25 '22 at 07:15

3 Answers3

4

Obviously TeX is able to open and write files through normal operation, which is a possible attack vector. Putting the execution into a sandbox or jail should take care of that.

Be sure to disable \write18, which allows a TeX source file to execute OS commands. There's no good reason to allow that mechanism.

As for the TeX interpreter itself, I'd say there is very little to worry about as it likely has the least significant bug count of any full-featured interpreter ever written. Some other part of your stack will be a far bigger target.

Svante
  • 50,694
  • 11
  • 78
  • 122
Jon 'links in bio' Ericson
  • 20,880
  • 12
  • 98
  • 148
2

If your TeX distribution uses the Kpathsea library (it probably does), see the Security section in its documentation.

Jouni K. Seppänen
  • 43,139
  • 5
  • 71
  • 100
  • An excellent suggestion. From the sound of it, TeX wouldn't need that many files to perform the task suggested by the questioner, but other uses might open up quite a bit of the host system. – Jon 'links in bio' Ericson Jan 24 '09 at 00:36
-1

In theory, yes.
It depends on your TeX interpreter. If a security breach is found in the interpreter you're using and that security breach means that a user can execute arbitrary code then you have a problem.

shoosh
  • 76,898
  • 55
  • 205
  • 325