如何在 LaTeX 文档中转义/去除特殊字符?

2022-01-24 00:00:00 latex escaping php strip

我们实施了在线服务,可以生成预定义的 PDF结构体.用户可以选择一个 LaTeX 模板,然后用适当的输入编译它.

We implemented the online service where it is possible to generate PDF with predefined structure. The user can choose a LaTeX template and then compile it with an appropriate inputs.

我们担心的问题是安全性,恶意用户无法通过向 Latex 文档中注入特殊指令来获得 shell 访问权限.

The question we worry about is the security, that the malicious user was not able to gain shell access through the injection of special instruction into latex document.

我们需要一些解决方法,或者至少需要一个我们应该从输入数据中去除的特殊字符列表.

首选语言是 PHP,但非常欢迎任何建议、结构和链接.

Preferred language would be PHP, but any suggestions, constructions and links are very welcomed.

PS.简而言之,我们正在为 LaTeX 寻找 mysql_real_escape_string

PS. in few word we're looking for mysql_real_escape_string for LaTeX

推荐答案

使用 LaTeX 执行有害操作的唯一可能性(AFAIK)是启用使用 write18.这仅在您使用 --shell-escape 或 --enable-write18 参数(取决于您的发行版)运行 LaTeX 时才有效.

The only possibility (AFAIK) to perform harmful operations using LaTeX is to enable the possibility to call external commands using write18. This only works if you run LaTeX with the --shell-escape or --enable-write18 argument (depending on your distribution).

因此,只要您不使用这些参数之一运行它,您就应该是安全的,无需过滤掉任何部分.

So as long as you do not run it with one of these arguments you should be safe without the need to filter out any parts.

除此之外,您仍然可以使用 ewwriteopenoutwrite 命令写入其他文件.让用户创建和(覆盖)写入文件可能是不需要的?因此,您可以过滤掉这些命令的出现.但是保留某些命令的黑名单很容易失败,因为不怀好意的人可以通过混淆输入文档来轻松隐藏实际命令.

Besides that, one is still able to write other files using the ewwrite, openout and write commands. Having the user create and (over)write files might be unwanted? So you could filter out occurrences of these commands. But keeping blacklists of certain commands is prone to fail since someone with a bad intention can easily hide the actual command by obfusticating the input document.

编辑:结合禁用 write18 使用受限帐户(即不写入非乳胶/项目相关目录)运行 LaTeX 命令可能会更容易且更多比保留危险"命令的黑名单更安全.

Edit: Running the LaTeX command using a limited account (ie no writing to non latex/project related directories) in combination with disabling write18 might be easier and more secure than keeping a blacklist of 'dangerous' commands.

相关文章