From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.tex.context/31540 Path: news.gmane.org!not-for-mail From: Hans Hagen Newsgroups: gmane.comp.tex.context,gmane.linux.debian.devel.tetex Subject: Re: Two problems with current ruby scripts Date: Wed, 25 Oct 2006 10:50:49 +0200 Message-ID: <453F2569.5080805@wxs.nl> References: <20061025081906.GA13463@gamma.logic.tuwien.ac.at> Reply-To: mailing list for ConTeXt users NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Trace: sea.gmane.org 1161766273 18789 80.91.229.2 (25 Oct 2006 08:51:13 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Wed, 25 Oct 2006 08:51:13 +0000 (UTC) Cc: Mike Bird , debian-tex-maint@lists.debian.org Original-X-From: ntg-context-bounces@ntg.nl Wed Oct 25 10:51:11 2006 Return-path: Envelope-to: gctc-ntg-context-518@m.gmane.org Original-Received: from ronja.vet.uu.nl ([131.211.172.88] helo=ronja.ntg.nl) by ciao.gmane.org with esmtp (Exim 4.43) id 1GceTa-0007F5-VX for gctc-ntg-context-518@m.gmane.org; Wed, 25 Oct 2006 10:51:07 +0200 Original-Received: from localhost (localhost [127.0.0.1]) by ronja.ntg.nl (Postfix) with ESMTP id 4C9AA1FF02; Wed, 25 Oct 2006 10:51:06 +0200 (CEST) Original-Received: from ronja.ntg.nl ([127.0.0.1]) by localhost (smtp.ntg.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 20376-07; Wed, 25 Oct 2006 10:51:00 +0200 (CEST) Original-Received: from ronja.vet.uu.nl (localhost [127.0.0.1]) by ronja.ntg.nl (Postfix) with ESMTP id 78AA51FEDC; Wed, 25 Oct 2006 10:51:00 +0200 (CEST) Original-Received: from localhost (localhost [127.0.0.1]) by ronja.ntg.nl (Postfix) with ESMTP id 3EA911FEDE for ; Wed, 25 Oct 2006 10:50:59 +0200 (CEST) Original-Received: from ronja.ntg.nl ([127.0.0.1]) by localhost (smtp.ntg.nl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 20379-07-2 for ; Wed, 25 Oct 2006 10:50:58 +0200 (CEST) Original-Received: from mail.pragma-ade.net (dsl-083-247-100-017.solcon.nl [83.247.100.17]) by ronja.ntg.nl (Postfix) with SMTP id 3A0321FEDB for ; Wed, 25 Oct 2006 10:50:58 +0200 (CEST) Original-Received: from [10.100.1.104] (unverified [10.100.1.104]) by controller-1 (SurgeMail 3.7b8) with ESMTP id 14876 for multiple; Wed, 25 Oct 2006 10:50:48 +0200 User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) Original-To: mailing list for ConTeXt users In-Reply-To: <20061025081906.GA13463@gamma.logic.tuwien.ac.at> X-Server: High Performance Mail Server - http://surgemail.com r=-274017400 X-Authenticated-User: hagen@controller-1 X-Virus-Scanned: amavisd-new at ntg.nl X-BeenThere: ntg-context@ntg.nl X-Mailman-Version: 2.1.7 Precedence: list List-Id: mailing list for ConTeXt users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: ntg-context-bounces@ntg.nl Errors-To: ntg-context-bounces@ntg.nl X-Virus-Scanned: amavisd-new at ntg.nl Xref: news.gmane.org gmane.comp.tex.context:31540 gmane.linux.debian.devel.tetex:18615 Archived-At: Norbert Preining wrote: > Dear all! > > THe packages of ConTeXt I am currently preparing are tested by a user > and he send back the following questions/comments. Could you please > comment on this. > > For the background: I install all the stubs from > scripts/context/stubs/unix > into /usr/bin, add a texmfstart stub that calls ruby with the right path > to texmfstart.rb. > > ----- Forwarded message from Mike Bird ----- > >> From: Mike Bird >> Subject: New texexec very confused >> To: debian-tex-maint@lists.debian.org >> Date: Tue, 24 Oct 2006 20:52:30 -0700 >> >> The new ruby texexec is very confused. The problem of output >> defaulting to pdf instead of dvi has already been noted. Here >> are some additional problems: >> >> Command: texexec --output=dvips foo >> Should produce: foo.dvi >> Actually produces: foo.pdf >> hm, i need to check that, maybe there is no dvips option >> Command: texexec --dvi foo >> Should produce: foo.dvi >> Actually produces: foo.dvi AND OVERWRITES foo.ps >> >> --Mike Bird >> that's because the backend is called as well (dvips) ; the latest version has a --nobackend option > ----- End forwarded message ----- > > > ----- Forwarded message from Mike Bird ----- > >> From: Mike Bird >> Subject: Is texmfstart secure? >> To: debian-tex-maint@lists.debian.org >> Date: Tue, 24 Oct 2006 21:08:53 -0700 >> >> Package: context 2006.08.08-0.4 >> >> If anyone who knows Ruby has time, can you tell if texmfstart is >> secure? I was really surprised to see client-server code. Even >> localhost services can lead to privilege escalation if not careful. >> hm, if you don't invoke that code it's not used so there can hardly be a leak then; the server/client code is a bit experimental and is related to distributed ruby code; imagine a situation where one has many (frozen) tex trees on a server that is used for automated tex processing; in that case, instead of calling kpsewhich each time, a service will keep the file databases (for multiple trees) in memory etc etc ; as said, the average user never enters this code, and it's not even loaded when your system is not explicitly configured to do so >> For example, /usr/share/texmf/scripts/context/ruby/texmfstart.rb >> contains the following. I'm not a Ruby programmer but the comment >> leads me to think there is a potential problem here: >> >> # danger lurking >> buffer = ' ' * 260 >> length = filemethod.call(filename,buffer,buffer.size) >> if length>0 then >> return buffer.slice(0..length-1) >> this has to do with windows long/short names and this branch is never entered under unix ; also, buffer is just a string and has nothing to do with "buffers that produce those buffer overflows" >> It looks like PRAGMA is trying to reinvent kpsewhich, integrate internet >> well, it's mostly a wrapper around kpsewhich; it would be natural to have kpse as a library but (1) it's not stable [api cq. names changes] and i don't see a stable kpse lib usable in script languages show up; (and yes: i rewrote kpse in ruby, and surprise, in some case it even runs faster than the c version); consider that in context there can be runs with (say) 400 calls to metapost and then it really pays off to bypass this ls-r loading >> explorer, launch editors, and do a whole bunch of other stuff I haven't >> this launching is only used when one starts documentation -- we use this in editors: context sensitive help started by a few keystrokes another option is to use file associations but that has some disadvantaged anyhow, i see no security risks here since all happens inside the tex domain; i don't need tex to crash an internet browser (on any system) -) >> figured out. texexec should be a simple wrapper around tex or pdftex >> but it works via texmfstart.rb which is 2541 lines of Ruby - and that's >> a lot of Ruby. It may all be wonderful (I am not a Ruby programmer) but >> well, if kpse* would have evolved ... sure, but it didn't; also, since i run tex on windows, linux and macosx, i want one launcher for all of them, not all kind of os dependent scripts >> it makes me nervous. >> well, i would be more worried about tons of cryptic perl code, even if i've written it myself, after a few years i can no longer figure out what it does; >> Is an older/simpler texexec still available? >> there is still texexec.pl (will always be around) but i will no longer develop the perl scripts Hans -- ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | fax: 038 477 53 74 | www.pragma-ade.com | www.pragma-pod.nl -----------------------------------------------------------------