airship icon indicating copy to clipboard operation
airship copied to clipboard

Published 20 hours ago verified publisher icon paragonie

LaTeX

Open paragonie-scott opened this issue 8 years ago • 9 comments

Per @co60ca in this tweet, I should look into supporting LaTeX->HTML parsers and add it to the format list.

As always, our priorities are:

  1. Security
  2. Usability
  3. Ease-of-integration (kludgy code is hard-to-audit code)

paragonie-scott avatar Mar 30 '16 04:03 paragonie-scott

Should support AMSMATH packages at least. <3

co60ca avatar Mar 30 '16 04:03 co60ca

I will be shocked if there isn't already a well-written LaTeX -> HTML library written in PHP.

paragonie-scott avatar Mar 30 '16 04:03 paragonie-scott

https://github.com/xemlock/php-latex Need to audit first, but looks promising.

paragonie-scott avatar Mar 30 '16 17:03 paragonie-scott

Sorry, I don't think we'll be able to squeeze this in before v1.0.0, so I'm removing it from the milestone.

  • In order to claim LaTeX support, we need to support macros.
  • Supporting macros without RCE requires a level of security analysis beyond what I'm willing to invest at the moment.
  • It turns out that the community doesn't have a rich supply of candidate libraries to choose from after all.

I'm not ruling this out.

paragonie-scott avatar Apr 01 '16 02:04 paragonie-scott

Hi, I saw this issue and since you are prioritizing security I wanted to share this article: hacking with latex.

I'm not sure whether you're familiar with the article / hacking latex, nor do I know whether php-latex is vulnerable to the attacks described in the article (I'm assuming it is), but since it wasn't mentioned in this issue I thought it would be better to be safe than sorry. :smile:

MarkRedeman avatar Apr 07 '16 09:04 MarkRedeman

Not that it matters, but couldn't you support a restricted LaTeX and claim "limited LaTeX support?" Or would removing macros make it pretty much unusable? (I don't use Macros directly)

co60ca avatar Apr 08 '16 00:04 co60ca

It would probably depend on your use case. Your tweet seems to have disappeared, so I don't know the original motivation.

I often reuse a preamble.tex file which contains a few macros for representing vectors (giving them a bold face), norms, etc. Removing macros would mean that most / all of my articles wouldn't compile.

Just a disclaimer: I'm by no means an "expert" in either LaTeX nor security.

MarkRedeman avatar Apr 08 '16 07:04 MarkRedeman

There is no filesystem access here at all. That's critically important.

This is for blog posts, web pages, and comments that some end users without access to the filesystem can alter. HTML, Markdown, and RST are allowed because and only because there is no "read something from the file system" functionality exposed.

paragonie-scott avatar Apr 11 '16 22:04 paragonie-scott

Should a great no-filesystem-access LaTeX parser written in PHP surface in the near future, I'll consider adding this format to the available text modes. Unfortunately, I don't have the time to audit or fork the existing ones to make them secure.

I'll leave this ticket open in case that happens.

paragonie-scott avatar May 16 '16 06:05 paragonie-scott