marcel
/
luametalatex
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Never use local path for finding initscript 

This is a security measure. The init script runs with maximum
privileges, especially allowing full shell escape and similar.
We don't want to allow circumventing such options by naming a
local file like an initscript.
This commit is contained in:
Marcel Krüger 2020-07-11 19:44:46 +02:00
parent 560a0da74d
commit 005b391342
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
luametalatex.lua
View File

@ -20,8 +20,11 @@ for i, a in ipairs(os.selfarg) do
end
end
os.setenv("engine", status.luatex_engine)
local kpse_call = io.popen(string.format("kpsewhich -progname %s -format lua -must-exist %s-init.lua", format, format))
local file = kpse_call:read()
local kpse_call = io.popen(string.format("kpsewhich -progname %s -format lua -all -must-exist %s-init.lua", format, format))
local file
repeat
file = kpse_call:read()
until not file:match('^%.')
if not kpse_call:close() then
error(file)
end