Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS

From: Jonathan Corbet
Date: Thu Feb 10 2022 - 12:50:37 EST

Next message: Guilherme G. Piccoli: "Re: [PATCH V4] notifier/panic: Introduce panic_notifier_filter"
Previous message: Jacopo Mondi: "Re: [PATCH v4 03/11] media: atmel: atmel-isc: implement media controller"
In reply to: Akira Yokosawa: "Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS"
Next in thread: Akira Yokosawa: "Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Akira Yokosawa <akiyks@xxxxxxxxx> writes:

> By adding this option, message of "restricted \write18 enabled" from
> LaTeX can be silenced.
>
> As there is no use of \write18 in LaTeX sources from sphinx-build, it
> is safe to add this option.
>
> Reported-by: Jonathan Corbet <corbet@xxxxxxx>
> Signed-off-by: Akira Yokosawa <akiyks@xxxxxxxxx>
> ---
> Documentation/Makefile | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/Documentation/Makefile b/Documentation/Makefile
> index 9f4bd42cef18..64d44c1ecad3 100644
> --- a/Documentation/Makefile
> +++ b/Documentation/Makefile
> @@ -26,7 +26,7 @@ SPHINX_CONF = conf.py
> PAPER =
> BUILDDIR = $(obj)/output
> PDFLATEX = xelatex
> -LATEXOPTS = -interaction=batchmode
> +LATEXOPTS = -interaction=batchmode -no-shell-escape

Interesting. In my digging now and back in 2016 [1] everything I found
said that \write18 had to be explicitly enabled - and for good reason.
And I could never figure out *how* we were enabling it... It turns out
that the net misinformed me; how come nobody ever told me that could
happen? :)

Anyway, I've applied this, but I'm going to tweak the changelog a bit.
My reason for wanting this isn't to make the warning go away - it's a
*tiny* piece of the noise of a pdfdocs build. That warning is there for
a reason; \write18 is dangerous. We really don't want any way for
arbitrary shell commands to be executed via the docs build. So the new
text is:

It turns out that LaTeX enables \write18, which allows arbitrary shell
commands to be executed from the document source, by default. This the
often-seen warning during a pdfdocs build:

restricted \write18 enabled

That is a potential security problem and is entirely unnecessary; nothing
in the kernel PDF docs build needs that capability. So disable \write18
explicitly.

I think I'll add a Cc: stable while I'm at it. I know of no actual
threat, but this is best closed.

Thanks for fixing this,

jon

[1] https://lore.kernel.org/lkml/20161113125250.779df4dd@xxxxxxx/

Next message: Guilherme G. Piccoli: "Re: [PATCH V4] notifier/panic: Introduce panic_notifier_filter"
Previous message: Jacopo Mondi: "Re: [PATCH v4 03/11] media: atmel: atmel-isc: implement media controller"
In reply to: Akira Yokosawa: "Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS"
Next in thread: Akira Yokosawa: "Re: [PATCH] docs: Makefile: Add -no-shell-escape option to LATEXOPTS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]