7

I'm building a webapp that takes latex code from users, which is then compiled serverside. Now latex creates a huge system vulnerability since it is turing complete and you can basically hack the entire system by using commands like \openin, \read, \readline or \write.

I've read the articles tagged with security, but I'm not sure yet what is necessary to make the system entirely safe. E.g. it says change the texmf.cnf file. But then in one of the comments it says:

Be aware that a malicious loop could spike the CPU indefinitely. (Dave Jarvis)

A solution for this is not presented. What can be done about this? But so my concrete question is:

Which measures are necessary to make my web page secure, when compiling user latex?

bersling
  • 423
  • 10
    using texmf.cnf you can prevent latex writing or reading dot files or out of the current directory. There is nothing you can do within tex about loops \def\x{\x}\x will loop forever. You need to limit the time using external operating system features to limit the job. – David Carlisle Aug 22 '15 at 11:31
  • 1
    I guess it depends on what exactly your users are going to use latex for. I use latex as a PDF generating backend for some Web forms. There I have complete control, and can weed out user input. It could be interesting to know what sharelatex, overleaf or arxiv does. – daleif Aug 22 '15 at 11:33
  • 1
    BTW what is up with the "injection" word in the title? – daleif Aug 22 '15 at 11:34
  • 1
    @daleif: Sharelatex has a at least a timeout systems. If the job takes to long it aborts. – Ulrike Fischer Aug 22 '15 at 11:40
  • Ah, so it sort of forks the process, compiles in a child and adds a timer. Good choice as there as some things nonstopmode etc does not catch (annoying that SE @ does not give named pop-ups in the Android app as it does on the desktop version, /rant) – daleif Aug 22 '15 at 11:44
  • @daleif Well because the user can inject malicious code into my system using latex – bersling Aug 22 '15 at 12:12
  • @DavidCarlisle Good idea – bersling Aug 22 '15 at 12:13
  • Not really. When it is not allowed to write to anything above a certain directory, all that can happen is eating up CPU cycles. Or if badly configured the ability to read random files that the process is allowed to read. – daleif Aug 22 '15 at 12:15
  • @user3022127 'Secure' and 'avoid an infinite loop' aren't the same thing. As already noted, you can prevent TeX reading/writing to files (and spawning other processes) using settings in texmf.cnf, which cover 'security', but you can't tell if a process will reach a loop or not. Could you clarify which aspect you are after more info on? – Joseph Wright Aug 22 '15 at 12:32
  • @user3022127 saying a user can inject malicious code is a strange description, you can use texmf.cnf to add further restrictions but even with the default settings it is hard to think of any damage that can be done. – David Carlisle Aug 22 '15 at 13:21

1 Answers1

15

By default latex can not execute system code or write files beginning . or write out of the current directory, so the security risks are minimal.

If you wish you could further restrict file reading to be paranoid, the default settings in texmf.cnf are

% Allow TeX \openin, \openout, or \input on filenames starting with `.'
% (e.g., .rhosts) or outside the current tree (e.g., /etc/passwd)?
% a (any)        : any file can be opened.
% r (restricted) : disallow opening "dotfiles".
% p (paranoid)   : as `r' and disallow going to parent directories, and
%                  restrict absolute paths to be under $TEXMFOUTPUT.
openout_any = p
openin_any = a

As for any non trivial programming language, there is the possibility of infinite loops

\def\x{\x}\x

will loop forever.

There is no way to stop that within TeX but any reasonable environment for launching TeX on your server should have facilities to limit the time or other resources available to that process and abort it if those limits are exceeded.

David Carlisle
  • 757,742