[tex-k] secure mode of dvips should be default

Sebastian Rahtz sebastian.rahtz@computing-services.oxford.ac.uk
Sun, 3 Jun 2001 13:05:26 +0100

Thomas Esser writes:
 > > Xdvi implements such a trusted list, sort of.  If xdvi encounters a
 > > PostScript file whose name ends in .Z or .gz or .bz2, and if the first
 > > 2-3 bytes of the file are the correct magic bytes for the file type,
 > > then xdvi will automatically pass the file through uncompress or gunzip
 > > or bunzip2 before processing it.  IMHO, dvips should do the same
 > > (and TeX, likewise, when getting bounding box information).
 > > 
 > > Comments, anyone?
 > Even better would be to use libgz / libbz2 for decompression. No fork,
 > no security problem.

The dvips in TeXlive does the same as xdvi, looking for .gz etc, and
calling the right program. I agree, its a security problem. I note
that I added in the source at the relevant point:

/* FIXME : use zlib instead of gzip ! */


if someone would like to fix this up, it would be great. since zlib is
already in place for pdftex and dvipdfm, should be easy. it just needs
a Real Programmer