Questions about computer safety concerns when running TeX programs or viewing TeX-created documents. For questions about managing digital rights (e.g. password-protected documents) use the {drm} tag.
Questions tagged [security]
54 questions
32
votes
1 answer
Is CTAN secure against attackers uploading bugged versions of well-known packages?
I was checking out how to make a CTAN package, and I was surprised that it does not involve making it account: you simply have to fill out a form. If you have a new version of a package, you simply fill out the same form again.
Now, it would be a…
Bram Geron
- 567
19
votes
1 answer
How do CTAN maintainers make sure all the uploaded packages and classess in CTAN are free of malicious code?
There are a large number of packages (plus some classes) uploaded and updated in CTAN (other mirrors as well). How do the CTAN maintainers make sure the uploaded stuff is free of malicious code? Do they use a sophisticated script (like anti-virus…
kiss my armpit
- 36,086
14
votes
2 answers
Security in autogenerated latex scripts. How to avoid LaTeX Injection?
I have TeX Live 2019 installed on my server and generate PDFs from a LaTeX-Template with a server-side scripting language (PHP 7). I have to insert data from the database (untrusted data) and also some data from the users (also untrusted data) into…
Awaaaaarghhh
- 341
7
votes
1 answer
Security: Latex Injection Hack
I'm building a webapp that takes latex code from users, which is then compiled serverside. Now latex creates a huge system vulnerability since it is turing complete and you can basically hack the entire system by using commands like \openin, \read,…
bersling
- 423
3
votes
0 answers
Is stripping backslashes enough to sanitize user generated input?
If I accept any input from the scary Internet to generate first a tex file and then a pdf using XeTeX in a server, is it enough to remove all backslashes and escape all the reserved characters #, %, $, _, ^, &, {, } as \#, \%, etc to be in the safe…
Victor
- 285