calling latex from php: security issues

Question

I am trying to program a web interface for automated generation of calculus tests. The idea is to take some input from user, say number of problems and name of instructor, and then by means of php generate the latex file, process it with pdflatex and let user download it.

The procedure seems to be quite straightforward. But what if somebody enters for instructor name something like "Mr. Mackey \input{/etc/hosts}" ?

looks like one can retrieve any file accessible to web server.

How to prevent this? May be there are natural php ways? I am very new to php, and would appreciate any advice.

basically the same things you'd do to prevent SQL injection attacks need to be done to prevent Latex injection attacks - escape any latex metachars. — , Dec 12 '12 at 21:29
yes, that would be a good way. I still want people to be able to enter accents, like G"ogel. But may be I should indeed restrict allowed latex commands to just a few... — , Dec 12 '12 at 21:45
Try the mentioned \include and you will see it fail. Please do a man pdftex and read the comments in texmf.cnf. And of course use chroot and ulimit. — Martin Schröder, Dec 13 '12 at 07:46
So as not to be reinventing the wheel, you might want to look into LON-CAPA. — Alan Munn, Dec 14 '12 at 16:54
Under bash, a command line such as openin_any=p pdflatex file works as well. — egreg, Dec 14 '12 at 16:59
Joseph Wright has some links to good articles on security on his blog: TeX and security — Alan Munn, Dec 14 '12 at 17:36
LON-CAPA is too large and complicated. We are doing a simple random generator of tests from problems of our choice that have to printed and given to students on a test day... — user1898918, Dec 14 '12 at 20:51

score 4 · Answer 1 · edited Apr 13 '17 at 12:35

4

As Paulo wrote, David's answer here is the right solution.

Here's a magazine article which talks about some of the risks. There's an associated research article as well.

edited Apr 13 '17 at 12:35

Community

1

answered Dec 14 '12 at 16:55

TH.

62,639

I am using at this point a simple routine that checks that the only latex expressions in the entered name are accents... I will use openin_any=p too. Thanks a lot. – user1898918 Dec 14 '12 at 20:54

calling latex from php: security issues

1 Answers1

Linked