如何逃脱/剥离LaTeX文档中的特殊字符? [英] How to escape/strip special characters in the LaTeX document?
问题描述
我们实施了在线服务,可以使用预定义的
结构生成PDF。用户可以选择LaTeX模板,然后使用适当的输入进行编译。
We implemented the online service where it is possible to generate PDF with predefined structure. The user can choose a LaTeX template and then compile it with an appropriate inputs.
我们担心的问题是安全性,恶意用户无法获取shell通过注入特殊指令进入乳胶文件。
The question we worry about is the security, that the malicious user was not able to gain shell access through the injection of special instruction into latex document.
我们需要一些解决方法,或至少要从输入中剥离的特殊字符列表数据。
首选语言将是PHP,但任何建议,结构和链接都非常受欢迎。
Preferred language would be PHP, but any suggestions, constructions and links are very welcomed.
PS。我们正在寻找LaTeX的 mysql_real_escape_string
PS. in few word we're looking for mysql_real_escape_string for LaTeX
推荐答案
唯一的可能性(AFAIK)使用LaTeX进行有害的操作是使用 \write18 。这只有在您使用--shell-escape或--enable-write18参数(取决于您的分发)运行LaTeX时才有效。
The only possibility (AFAIK) to perform harmful operations using LaTeX is to enable the possibility to call external commands using \write18. This only works if you run LaTeX with the --shell-escape or --enable-write18 argument (depending on your distribution).
所以只要你不运行它与这些参数之一应该是安全的,而不需要过滤掉任何部分。
So as long as you do not run it with one of these arguments you should be safe without the need to filter out any parts.
除此之外,还可以使用 \\\,
ewwrite \openout 和 \write 命令。让用户创建和(过)写入文件可能是不需要的?所以你可以过滤掉这些命令的出现。但是保留某些命令的黑名单容易失败,因为有意图的人可以通过扼杀输入文档来轻松隐藏实际的命令。
Besides that, one is still able to write other files using the \newwrite, \openout and \write commands. Having the user create and (over)write files might be unwanted? So you could filter out occurrences of these commands. But keeping blacklists of certain commands is prone to fail since someone with a bad intention can easily hide the actual command by obfusticating the input document.
编辑:使用有限的帐户运行LaTeX命令(即不写入非乳胶/项目相关目录)与禁用 \write18 相结合可能比保留更简单和更安全危险命令的黑名单。
Edit: Running the LaTeX command using a limited account (ie no writing to non latex/project related directories) in combination with disabling \write18 might be easier and more secure than keeping a blacklist of 'dangerous' commands.
这篇关于如何逃脱/剥离LaTeX文档中的特殊字符?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
