diff --git a/texk/kpathsea/ChangeLog b/texk/kpathsea/ChangeLog index 65a2e675dd..6c09d3e139 100644 --- a/texk/kpathsea/ChangeLog +++ b/texk/kpathsea/ChangeLog @@ -1,3 +1,13 @@ +2024-11-06 Karl Berry + + * tex-file.c (kpathsea_name_ok): don't allow writing to the + filename ".tex". LaTeX 2024-11-01 changes their build process so + their .tex file is not created from TeX. Although maybe not + technically a security problem, it feels better not to allow it. + Report from Nicola Talbot, tlsecurity May 24 13:48:16 CEST 2024. + * NEWS: mention this. + * doc/kpathsea.texi (Safe filenames): remove doc of special case. + 2024-09-25 Karl Berry * texmf.cnf (shell_escape_commands): add latexminted for minted 3.0, diff --git a/texk/kpathsea/NEWS b/texk/kpathsea/NEWS index 9e289fc1d8..799df46036 100644 --- a/texk/kpathsea/NEWS +++ b/texk/kpathsea/NEWS @@ -1,6 +1,10 @@ $Id$ This file records noteworthy changes. (Public domain.) +* A file named ".tex" can no longer be written from TeX; previously this + was allowed as a special case. (The LaTeX 2024-11-01 release changes + their build process so as not to write it from TeX.) + 6.4.0 (for TeX Live 2024, 10 March 2024) * Support an extended check for safe filenames which also allows TEXMF[SYS]VAR, for Lua(La)TeX; new functions and corresponding diff --git a/texk/kpathsea/doc/kpathsea.info b/texk/kpathsea/doc/kpathsea.info index 702aff5779..6011858e46 100644 --- a/texk/kpathsea/doc/kpathsea.info +++ b/texk/kpathsea/doc/kpathsea.info @@ -1,4 +1,4 @@ -This is kpathsea.info, produced by makeinfo version 7.1 from +This is kpathsea.info, produced by makeinfo version 7.1.1 from kpathsea.texi. This file documents the Kpathsea library for path searching. @@ -37,7 +37,7 @@ Kpathsea library **************** This manual documents the Kpathsea library for path searching. It -corresponds to version 6.4.0, released in January 2024. +corresponds to version 6.4.0, released in November 2024. * Menu: @@ -62,7 +62,7 @@ File: kpathsea.info, Node: Introduction, Next: unixtex.ftp, Prev: Top, Up: T ************** This manual corresponds to version 6.4.0 of the Kpathsea library, -released in January 2024. +released in November 2024. The library's fundamental purpose is to return a filename from a list of directories specified by the user, similar to what shells do when @@ -2574,7 +2574,7 @@ to potentially dangerous files is a configuration variable • When set to ‘a’ (for "any"), no restrictions are imposed. • When is set to ‘r’ (for "restricted"), filenames beginning with ‘.’ - are disallowed (except ‘.tex’, because LaTeX needs it). + are disallowed. • When set to ‘p’ (for "paranoid"), additional restrictions are imposed. @@ -4124,66 +4124,66 @@ Index  Tag Table: -Node: Top1479 -Node: Introduction2261 -Node: History4352 -Node: unixtex.ftp8972 -Node: Security10454 -Node: Global font cache and security13167 -Node: TeX directory structure15158 -Node: Path searching19333 -Node: Searching overview20291 -Node: Path sources24198 -Node: Config files25468 -Node: Path expansion30516 -Node: Default expansion31485 -Node: Variable expansion33607 -Node: Tilde expansion35076 -Node: Brace expansion36124 -Node: KPSE_DOT expansion37119 -Node: Subdirectory expansion37644 -Node: Casefolding search40084 -Node: Casefolding rationale40861 -Node: Casefolding examples42219 -Node: Filename database47441 -Node: ls-R48455 -Node: Filename aliases52327 -Node: Database format53569 -Node: Invoking kpsewhich54618 -Node: Path searching options55601 -Node: Specially-recognized files65603 -Node: Auxiliary tasks67078 -Node: Standard options71222 -Node: TeX support71590 -Node: Supported file formats72948 -Node: File lookup81699 -Node: Glyph lookup83504 -Node: Basic glyph lookup84652 -Node: Fontmap85560 -Node: Fallback font88168 -Node: Suppressing warnings89104 -Node: mktex scripts90267 -Node: mktex configuration91510 -Node: mktex script names97603 -Node: mktex script arguments99286 -Node: Programming100201 -Node: Programming overview100844 -Node: Calling sequence103755 -Node: Safe filenames109092 -Ref: openout_any109251 -Node: Program-specific files113104 -Node: Programming with config files114157 -Node: Reporting bugs115804 -Node: Bug checklist116482 -Node: Mailing lists120039 -Node: Debugging120716 -Node: Logging125973 -Node: Common problems127880 -Node: Unable to find files128357 -Node: Slow path searching130813 -Node: Unable to generate fonts132208 -Node: TeX or Metafont failing134744 -Node: Index135946 +Node: Top1481 +Node: Introduction2264 +Node: History4356 +Node: unixtex.ftp8976 +Node: Security10458 +Node: Global font cache and security13171 +Node: TeX directory structure15162 +Node: Path searching19337 +Node: Searching overview20295 +Node: Path sources24202 +Node: Config files25472 +Node: Path expansion30520 +Node: Default expansion31489 +Node: Variable expansion33611 +Node: Tilde expansion35080 +Node: Brace expansion36128 +Node: KPSE_DOT expansion37123 +Node: Subdirectory expansion37648 +Node: Casefolding search40088 +Node: Casefolding rationale40865 +Node: Casefolding examples42223 +Node: Filename database47445 +Node: ls-R48459 +Node: Filename aliases52331 +Node: Database format53573 +Node: Invoking kpsewhich54622 +Node: Path searching options55605 +Node: Specially-recognized files65607 +Node: Auxiliary tasks67082 +Node: Standard options71226 +Node: TeX support71594 +Node: Supported file formats72952 +Node: File lookup81703 +Node: Glyph lookup83508 +Node: Basic glyph lookup84656 +Node: Fontmap85564 +Node: Fallback font88172 +Node: Suppressing warnings89108 +Node: mktex scripts90271 +Node: mktex configuration91514 +Node: mktex script names97607 +Node: mktex script arguments99290 +Node: Programming100205 +Node: Programming overview100848 +Node: Calling sequence103759 +Node: Safe filenames109096 +Ref: openout_any109255 +Node: Program-specific files113064 +Node: Programming with config files114117 +Node: Reporting bugs115764 +Node: Bug checklist116442 +Node: Mailing lists119999 +Node: Debugging120676 +Node: Logging125933 +Node: Common problems127840 +Node: Unable to find files128317 +Node: Slow path searching130773 +Node: Unable to generate fonts132168 +Node: TeX or Metafont failing134704 +Node: Index135906  End Tag Table diff --git a/texk/kpathsea/doc/kpathsea.texi b/texk/kpathsea/doc/kpathsea.texi index cf1e27255f..4e2e42c039 100644 --- a/texk/kpathsea/doc/kpathsea.texi +++ b/texk/kpathsea/doc/kpathsea.texi @@ -3,7 +3,7 @@ @settitle Kpathsea: A library for path searching @set version 6.4.0 -@set month-year January 2024 +@set month-year November 2024 @copying This file documents the Kpathsea library for path searching. @@ -3386,8 +3386,7 @@ When set to @samp{a} (for ``any''), no restrictions are imposed. @item @cindex restricted mode, for output files When is set to @samp{r} (for ``restricted''), filenames beginning -with @samp{.} are disallowed (except @file{.tex}, because @LaTeX{} -needs it). +with @samp{.} are disallowed. @item @cindex paranoid mode, for output files diff --git a/texk/kpathsea/tex-file.c b/texk/kpathsea/tex-file.c index b7097d4d68..7dc62cdb5c 100644 --- a/texk/kpathsea/tex-file.c +++ b/texk/kpathsea/tex-file.c @@ -1277,7 +1277,6 @@ kpathsea_name_ok (kpathsea kpse, const_string fname, const_string check_var, if ((q == fname || IS_DIR_SEP (*(q - 1))) /* start or / precedes dot? */ && !IS_DIR_SEP (*(q + 1)) /* ok if /./ */ && !(*(q + 1) == '.' && IS_DIR_SEP (*(q + 2))) /* ok if /../ */ - && !STREQ (q, ".tex") /* specially allow .tex */ && !(extended && kpathsea_absolute_p (kpse, expanded_fname, false)) /* Don't quit if EXTENDED and the input is absolute, because we want to allow TEXMFVAR=~/.texliveYYYY. This