How to escape/strip special characters in the LaTeX document?(如何在 LaTeX 文档中转义/去除特殊字符?)
问题描述
我们实施了在线服务,可以生成预定义的 PDF结构体.用户可以选择一个 LaTeX 模板,然后用适当的输入编译它.
We implemented the online service where it is possible to generate PDF with predefined structure. The user can choose a LaTeX template and then compile it with an appropriate inputs.
我们担心的问题是安全性,恶意用户无法通过向 Latex 文档中注入特殊指令来获得 shell 访问权限.
The question we worry about is the security, that the malicious user was not able to gain shell access through the injection of special instruction into latex document.
我们需要一些解决方法,或者至少需要一个我们应该从输入数据中去除的特殊字符列表.
首选语言是 PHP,但非常欢迎任何建议、结构和链接.
Preferred language would be PHP, but any suggestions, constructions and links are very welcomed.
PS.简而言之,我们正在为 LaTeX 寻找 mysql_real_escape_string
PS. in few word we're looking for mysql_real_escape_string for LaTeX
推荐答案
使用 LaTeX 执行有害操作的唯一可能性(AFAIK)是启用使用 write18
.这仅在您使用 --shell-escape 或 --enable-write18 参数(取决于您的发行版)运行 LaTeX 时才有效.
The only possibility (AFAIK) to perform harmful operations using LaTeX is to enable the possibility to call external commands using write18
. This only works if you run LaTeX with the --shell-escape or --enable-write18 argument (depending on your distribution).
因此,只要您不使用这些参数之一运行它,您就应该是安全的,无需过滤掉任何部分.
So as long as you do not run it with one of these arguments you should be safe without the need to filter out any parts.
除此之外,您仍然可以使用
ewwrite
、openout
和 write
命令写入其他文件.让用户创建和(覆盖)写入文件可能是不需要的?因此,您可以过滤掉这些命令的出现.但是保留某些命令的黑名单很容易失败,因为不怀好意的人可以通过混淆输入文档来轻松隐藏实际命令.
Besides that, one is still able to write other files using the
ewwrite
, openout
and write
commands. Having the user create and (over)write files might be unwanted? So you could filter out occurrences of these commands. But keeping blacklists of certain commands is prone to fail since someone with a bad intention can easily hide the actual command by obfusticating the input document.
编辑:结合禁用 write18
使用受限帐户(即不写入非乳胶/项目相关目录)运行 LaTeX 命令可能会更容易且更多比保留危险"命令的黑名单更安全.
Edit: Running the LaTeX command using a limited account (ie no writing to non latex/project related directories) in combination with disabling write18
might be easier and more secure than keeping a blacklist of 'dangerous' commands.
这篇关于如何在 LaTeX 文档中转义/去除特殊字符?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:如何在 LaTeX 文档中转义/去除特殊字符?
基础教程推荐
- 在 PHP 中强制下载文件 - 在 Joomla 框架内 2022-01-01
- 通过 PHP SoapClient 请求发送原始 XML 2021-01-01
- mysqli_insert_id 是否有可能在高流量应用程序中返回 2021-01-01
- WooCommerce 中选定产品类别的自定义产品价格后缀 2021-01-01
- 超薄框架REST服务两次获得输出 2022-01-01
- XAMPP 服务器不加载 CSS 文件 2022-01-01
- 在多维数组中查找最大值 2021-01-01
- 在 Woocommerce 中根据运输方式和付款方式添加费用 2021-01-01
- Libpuzzle 索引数百万张图片? 2022-01-01
- 如何在 PHP 中的请求之间持久化对象 2022-01-01