10 Nov
2008
10 Nov
'08
5:47 a.m.
On Mon, 10 Nov 2008, Yue Wang wrote:
Hi:
Let me try another trick: \starttext \directlua0{os.exec("luatools --generate")} Hello world! \stoptext
[snip]
So next time the Live is down, I can manually fix that :-)
I think that this is a serious security risk. Replacing luatools --generate with any unix command works. I can cat files in /etc directory, so os.exec effectively gives me read access to the entire server. Is there a luatex flag which can limit what os.exec can do? Aditya