From 1a4066d086222ef88ba5dd9473da6b036775d014 Mon Sep 17 00:00:00 2001
From: Boud Roukema <boud@cosmo.torun.pl>
Date: Tue, 16 Jun 2020 00:42:35 +0200
Subject: Security risk of LaTeX's -shell-escape option explained in comment

The 'pdflatex' program is used to build the default Maneage-branch paper.
But since the default paper uses PGFPlots to build the figures within LaTeX
as an external PDF, PGFPlots requires 'pdflatex' to be called with the
'-shell-escape' option. Generally, this option can be considered as a
security risk (in particular when 'pdflatex' is being run by an external
LaTeX file: a malicious LaTeX writer may embed commands in the LaTeX source
that will be executed on the host if this option is present).

This is not too serious of an issue in Maneage, because when someone runs
Maneage, they intentionally let it run many on their system. Hence if
someone wants to exploit a host system, they can add the necessary commands
long before 'pdflatex' is run. After all, all commands in Maneage are run
with the calling user's permissions, hence they have access to many parts
of the user's accounts. If someone is worried about security on a
non-trusted Maneage project they should act the same as they do with any
software: define a new user for it, and call it with that user (as a
weak-level security), or run it in a virtual machine or container.

However, since this option has been explicity mentioned as a security risk
before, it helps if we have a comment explaining its usage in 'paper.mk'.
With this commit, the concerned user will read a brief explanation and can
read the brief discussion at [1] and possibly re-open the discussion or
propose ways of mitigating the security risk(s).

[1] https://savannah.nongnu.org/task/?15694
---
 reproduce/analysis/make/paper.mk | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/reproduce/analysis/make/paper.mk b/reproduce/analysis/make/paper.mk
index 226a37d..5227e55 100644
--- a/reproduce/analysis/make/paper.mk
+++ b/reproduce/analysis/make/paper.mk
@@ -100,6 +100,13 @@ $(texbdir)/paper.bbl: tex/src/references.tex $(mtexdir)/dependencies-bib.tex \
 	  p=$$(pwd)
 	  export TEXINPUTS=$$p:
 	  cd $(texbdir);
+
+          # The pdflatex option '-shell-escape' is "normally disallowed for
+          # security reasons" according to the `info pdflatex' manual, but
+          # is enabled here in order to allow the use of PGFPlots. If you
+          # do not use PGFPlots, then you should remove the `-shell-escape'
+          # option for better security. See
+          # https://savannah.nongnu.org/task/?15694 for details.
 	  pdflatex -shell-escape -halt-on-error $$p/paper.tex
 	  biber paper
 
@@ -127,6 +134,8 @@ paper.pdf: $(mtexdir)/project.tex paper.tex $(texbdir)/paper.bbl
 	  p=$$(pwd)
 	  export TEXINPUTS=$$p:
 	  cd $(texbdir)
+          # See above for a warning and brief discussion on the the
+          # pdflatex option `-shell-escape'.
 	  pdflatex -shell-escape -halt-on-error $$p/paper.tex
 
           # Come back to the top project directory and copy the built PDF
-- 
cgit v1.2.1