1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
Description: Don't execute commands with --exec by default
Author: Axel Beckert <abe@debian.org>
Debian-Bug: 706644
CVE-Id: CVE-2013-2208
Index: tpp/tpp.rb
===================================================================
--- tpp.orig/tpp.rb 2013-06-12 22:13:55.000000000 +0200
+++ tpp/tpp.rb 2013-06-12 22:15:08.000000000 +0200
@@ -725,9 +725,13 @@
end
def do_exec(cmdline)
- rc = Kernel.system(cmdline)
- if not rc then
- # @todo: add error message
+ if $execok then
+ rc = Kernel.system(cmdline)
+ if not rc then
+ # @todo: add error message
+ end
+ else
+ @screen.addstr("--exec disabled by default for security reasons. Use option -x to enable it.")
end
end
@@ -1683,6 +1687,7 @@
$stderr.puts "\t -t <type>\tset filetype <type> as output format"
$stderr.puts "\t -o <file>\twrite output to file <file>"
$stderr.puts "\t -s <seconds>\twait <seconds> seconds between slides (with -t autoplay)"
+ $stderr.puts "\t -x\t\tallow parsing of --exec in input files"
$stderr.puts "\t --version\tprint the version"
$stderr.puts "\t --help\t\tprint this help"
$stderr.puts "\n\t currently available types: ncurses (default), autoplay, latex, txt"
@@ -1699,6 +1704,7 @@
output = nil
type = "ncurses"
time = 1
+$execok = nil
skip_next = false
@@ -1720,6 +1726,8 @@
elsif ARGV[i] == "-s" then
time = ARGV[i+1].to_i
skip_next = true
+ elsif ARGV[i] == "-x" then
+ $execok = 1
elsif input == nil then
input = ARGV[i]
end
Index: tpp/doc/tpp.1
===================================================================
--- tpp.orig/doc/tpp.1 2013-06-12 22:13:55.000000000 +0200
+++ tpp/doc/tpp.1 2013-06-12 22:13:55.000000000 +0200
@@ -20,6 +20,8 @@
.TP
\-l output.tex input.tpp converts tpp slides into tex
.TP
+\-x allow usage of "\-\-exec"
+.TP
\-v/\-\-version display version number
.SH KEYS
|
