How to setup a (La)TeX-enabled server to allow visitors to submit input file and download the rendered output?

Question

I am very interested to setup my own server like dev.baywifi.com or live.contextgarden.net.

I am using IIS web server under Windows Server 2008 R2.

Could you give me a rough idea how to setup the server and make sure it can serve multi users in parallel?

Objectives:

To create a mathematics forum that allows users to submit PSTricks codes. For LaTeX codes I will use MathJax.

You know that I can write in the source write18{rm -fr *} or same without write18 in a \DeclareGraphicsRule. TeX isn't really secure ... — , Dec 29 '10 at 18:52
@Herbert, I can sanitize the input if I know the list of "dangerous" commands. — Display Name, Dec 29 '10 at 18:55
@xport: Lots of other previewer services tried that too. Most of them failed. — TH., Dec 29 '10 at 20:20
@TH, but if I can sanitize the input I believe that it will be safe. — Display Name, Dec 29 '10 at 20:25
@xport: Yeah, if. Did you read the paper to see what other people tried to do? At the very least, you should try not to make their mistakes again. — TH., Dec 29 '10 at 20:30
@xport If you can find a way to sandbox the user input, it is not a difficult job. Remember that by changing appropriate codes, one can define write 18 as anything else, for example something like this .,.!, almost next to impossible to sanitize! — yannisl, Dec 29 '10 at 20:36
@xport If you willing to use Apache I can post a short solution with PHP, but sanitization and sandboxing I can't! — yannisl, Dec 29 '10 at 20:47
I don't know if this meets your requirements, and therefore I'm not posting this as an answer, but have you looked at the Common LaTeX Service Interface project? It is, for example, used by the LaTeX Lab project. — Torbjørn T., Dec 30 '10 at 21:34

score 5 · Answer 1 · answered Dec 25 '10 at 14:07

5

This is a very simple thing to do naïvely. You make a form POST to a CGI script that invokes LaTeX and then uses something like dvipng to produce a graphic from the result.

If you take the appropriate precautions, it can be safe to do in Linux using TeX Live. (Those precautions include setting openin_any = p, chroot jails, and short timeouts.) When this paper was published, there was not an option similar to openin_any on MiKTeX and that lead to complete system compromise. (I don't know if the situation has changed.) And for the default configuration on TeX Live, it lead to being able to read arbitrary files on the server.

Bottom line: I wouldn't recommend it.

answered Dec 25 '10 at 14:07

TH.

62,639

@TH, how about the multi user access in parallel or concurrency? – Display Name Dec 25 '10 at 14:28
2

@xport: This is really the wrong place to ask about this. It's a simple matter of using your OS to give you a unique file name, for example the mkstemp(3) function. I really don't think this is a good idea though. – TH. Dec 25 '10 at 17:03
Precautions: I think that running as user nobody should be OK, in a reasonably constructed system. I don't get the short timeouts bit. – Charles Stewart Dec 27 '10 at 18:26
2

@Charles: Consider \loop\iftrue\shipout\hbox{}\repeat as input. – TH. Dec 29 '10 at 20:20
2

@Charles: Also, running as nobody doesn't prevent it from reading world readable files that you might not really want readable from the internet. For example an apache config file that then tells you where a password file for a protected domain lives which you then read. – TH. Dec 29 '10 at 20:24
@TH.: You're right about the need for some sort of quota. I don't stand by my comment about using nobody as the main defence against rogue Tex scripts. FWIW, FreeBSD's jail offers disk quotas, as do other OS container virtualisation systems like Openvz. – Charles Stewart Jan 01 '11 at 12:57

How to setup a (La)TeX-enabled server to allow visitors to submit input file and download the rendered output?

1 Answers1