Bill Allombert wrote:
> When I spoke of security nightmare, this was exactly what I had in mind.
> You will never find a blacklist of command that prevent abuse, and the
> current certainly does not. For example \usepackage and \documentclass
> are not blacklisted so the attacker can load add-on pa
ot;,"\\section","\\mbox","\\DeclareRobustCommand"}
So (in normal case) all of this command will not be "authorised"
(in fact, if you send a message like :
normal text \input in normal text $$equation$$ normal text $$equation $$
(or with the blacklisted command in the $$equation part$$) the message
_will not_ be transform using latex compiler. (with the is_blacklisted
function)
If some other command have to be blacklisted, I hear you.
If you have any suggestion with security problem (for example error in
my code, or latex hack to "eviter" (french word, don't know in English)
this security), you can continue the discussion here, I will read it.
Also other bug can be posted on sourceforge, for example.
Nicolas Schoonbroodt
signature.asc
Description: OpenPGP digital signature
2 matches
Mail list logo
