openin_any = p in texmf.cnf
excerpt from texmf.cnf: ------------------------------------------------------------------------- % Do we allow TeX \input or \openin (openin_any), or \openout % (openout_any) on filenames starting with `.' (e.g., .rhosts) or % outside the current tree (e.g., /etc/passwd)? % a (any) : any file can be opened. % r (restricted) : disallow opening dot files % p (paranoid) : as `r' and disallow going to parent directories, and % restrict absolute paths to be under $TEXMFOUTPUT. openin_any = a ------------------------------------------------------------------------- Dear Sirs, when I set openin_any = p then fmtutil can't create any LuaTeX-based format files anymore: $ fmtutil --sys --all [...stuff omitted...] fmtutil [ERROR]: running `luatex -ini -jobname=luatex -progname=luatex luatex.ini
On 3/9/2018 11:14 PM, Reinhard Kotucha wrote:
excerpt from texmf.cnf: ------------------------------------------------------------------------- % Do we allow TeX \input or \openin (openin_any), or \openout % (openout_any) on filenames starting with `.' (e.g., .rhosts) or % outside the current tree (e.g., /etc/passwd)? % a (any) : any file can be opened. % r (restricted) : disallow opening dot files % p (paranoid) : as `r' and disallow going to parent directories, and % restrict absolute paths to be under $TEXMFOUTPUT. openin_any = a -------------------------------------------------------------------------
Dear Sirs, when I set
openin_any = p
then fmtutil can't create any LuaTeX-based format files anymore:
$ fmtutil --sys --all
[...stuff omitted...]
fmtutil [ERROR]: running `luatex -ini -jobname=luatex -progname=luatex luatex.ini
Only LuaTeX-based formats are concerned, all other format files are built successfully.
Everything works as expected with
openin_any = a
and
openin_any = r
I'm using the latest stuff in tlpretest. set openin_any=p
luatex --ini plain \dump warning: c:/data/develop/tex-context/tex/texmf/web2c/texmf.cnf:49: (kpathsea) No cnf value on line: OSFONTDIR =. This is LuaTeX, Version 1.08.0 (TeX Live 2018/dev) (INITEX) system commands enabled.
luatex.exe: Not reading from c:/data/develop/tex-context/tex/texmf/tex/plain/base/plain.tex (openin_any = p). ! I can't find file `plain'. <*> plain \dump (Press Enter to retry, or Control-Z to exit) Please type another input file name: ! Emergency stop. <*> plain \dump ! ==> Fatal error occurred, bad output DVI file produced! No pages of output. Transcript written on texput.log.
pdftex --ini plain \dump warning: c:/data/develop/tex-context/tex/texmf/web2c/texmf.cnf:49: (kpathsea) No cnf value on line: OSFONTDIR =. This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017/W32TeX) (INITEX) \write18 enabled.
pdftex.exe: Not reading from c:/data/develop/tex-context/tex/texmf/tex/plain/base/plain.tex (openin_any = p). ! I can't find file `c:/data/develop/tex-context/tex/texmf/tex/plain/base/plain.tex'. <*> ...context/tex/texmf/tex/plain/base/plain.tex \dump (Press Enter to retry, or Control-Z to exit) Please type another input file name: ! Emergency stop. <*> ...context/tex/texmf/tex/plain/base/plain.tex \dump No pages of output. Transcript written on texput.log. with
set openin_any=a
i can make both ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl -----------------------------------------------------------------
On 2018-03-10 at 13:04:16 +0100, Hans Hagen wrote:
pdftex --ini plain \dump [...] pdftex.exe: Not reading from c:/data/develop/tex-context/tex/texmf/tex/plain/base/plain.tex (openin_any = p). ! I can't find file `c:/data/develop/tex-context/tex/texmf/tex/plain/base/plain.tex'.
Hello Hans, the pdftex (or better non-luatex) issue is fixed now by Akira in TL-pretest SVN rev. 46978. It was caused by 8.3 support for long filenames (like ABCDEF~1.TEX). Akira removed the code because it isn't needed anymore. Hence pdftex --ini plain \dump is supposed work now on Windows as well. The luatex problem still remains. Not only the creation of format files is concerned. Instead of luatex --ini plain \dump you can also try lualatex '\relax\documentclass{article}\stop' My vague guess is that luatex checks openin_any *after* paths are expanded to absolute paths by kpathsea. IMO the issue is quite important because some web services like ShareLaTeX are processing arbitrary files uploaded by arbitrary users and thus it's absolutely necessary to set openin_any=p for security reasons. AFAIK ShareLaTeX is not concerned ATM because it still uses pdftex. It's highly desirable to make luatex work with openin_any=p as well. Regards, Reinhard -- ------------------------------------------------------------------ Reinhard Kotucha Phone: +49-511-3373112 Marschnerstr. 25 D-30167 Hannover mailto:reinhard.kotucha@web.de ------------------------------------------------------------------
On 3/18/2018 1:15 AM, Reinhard Kotucha wrote:
On 2018-03-10 at 13:04:16 +0100, Hans Hagen wrote:
pdftex --ini plain \dump [...] pdftex.exe: Not reading from c:/data/develop/tex-context/tex/texmf/tex/plain/base/plain.tex (openin_any = p). ! I can't find file `c:/data/develop/tex-context/tex/texmf/tex/plain/base/plain.tex'.
Hello Hans, the pdftex (or better non-luatex) issue is fixed now by Akira in TL-pretest SVN rev. 46978. It was caused by 8.3 support for long filenames (like ABCDEF~1.TEX). Akira removed the code because it isn't needed anymore. Hence
pdftex --ini plain \dump
is supposed work now on Windows as well.
The luatex problem still remains. Not only the creation of format files is concerned. Instead of
luatex --ini plain \dump
you can also try
lualatex '\relax\documentclass{article}\stop'
My vague guess is that luatex checks openin_any *after* paths are expanded to absolute paths by kpathsea.
IMO the issue is quite important because some web services like ShareLaTeX are processing arbitrary files uploaded by arbitrary users and thus it's absolutely necessary to set openin_any=p for security reasons. AFAIK ShareLaTeX is not concerned ATM because it still uses pdftex. It's highly desirable to make luatex work with openin_any=p as well. if the 8.3 hack is removed from kpse then luatex will also have that removed and use normal names
Hans ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl -----------------------------------------------------------------
participants (3)
-
Hans Hagen -
Hans Hagen -
Reinhard Kotucha