| <<<Back 1 day (to 2019/11/10) | Fwd 1 day (to 2019/11/12) >>> | 20191111 |
Robin_Watts | Hi marhr. | 18:52.43 |
| marehr, even. | 18:52.47 |
| best to do this in public, cos then people who know more than me can join in. | 18:53.00 |
| (although, today is a holiday in the US, so my colleagues there might not be here, and my UK colleagues have gone for the night). | 18:53.37 |
marehr | okay; I opened this bug https://bugs.ghostscript.com/show_bug.cgi?id=701894 and I guess irc allows for faster try and error | 18:53.55 |
Robin_Watts | yup. I recognised your name. | 18:54.09 |
kens | is typing ont hat report, give me a moment | 18:54.19 |
Robin_Watts | Does the _form0.ps file exist? | 18:54.33 |
marehr | yes | 18:54.36 |
kens | Robin_Watts: seriously, give me a second and I'll post where I am | 18:54.54 |
Robin_Watts | kens: Ok. | 18:55.05 |
kens | OK pressed 'save changes' you should get email | 18:56.11 |
Robin_Watts | Your -r param seems dodgy to me, anyway, but I suspect you're getting away with it by luck. | 18:56.14 |
kens | -g and -r are not incompatible | 18:56.45 |
| -g sets the media size in pixels, -r sets the resolution. Taken together you can figure otu the media size in points | 18:57.13 |
| In this case, really small | 18:57.28 |
Robin_Watts | kens: a) I know that's what "undefinedfilename" means. I'm just not 100% sure that won't be the error you get if a file is refused access. | 18:57.32 |
kens | Robin_Watts: I tried it | 18:57.40 |
| You don't get invalidaccess | 18:57.46 |
marehr | I have a look :) | 18:57.54 |
kens | but if you remove the -- | 18:57.55 |
| Then you will | 18:57.59 |
Robin_Watts | b) If he removes -- then he shouldn't need --permit-file-read= because the code automatically adds paths for such command line arguments, I believe. | 18:58.21 |
kens | The -- is supposed to take the next filename as a filename, and then 'everything after that' is treated as switches and stored in a dictionary | 18:58.27 |
| Robin_Watts: no becuase _form0.ps executes 'run' on _form0.eps | 18:58.44 |
| So you do need to permit-file-read on _fomr0.eps | 18:58.57 |
| Thats *eps* not *ps* | 18:59.02 |
Robin_Watts | oh. so he'll need --permit-file-read=_form0.eps, yes, sorry. | 18:59.06 |
kens | Yeah its a 2-step problem | 18:59.15 |
Robin_Watts | but he won't need it on _form0.ps itself. | 18:59.20 |
kens | Solve the first one and you hit the se3codn one | 18:59.24 |
| Correct, _form0.ps runs fine, as long as you remove '--' | 18:59.42 |
| -- does appear to be broken | 18:59.52 |
Robin_Watts | So, chris or I needs to fix --. | 18:59.58 |
kens | Frankly it looks like a bonkers option to me, but what do I know ? | 19:00.07 |
| I see I have freely mistyped the filenames on my comment :-( | 19:01.03 |
| I apologise for the comment, I wanted to finish it up quick, sorry about that. | 19:01.54 |
marehr | No problem, I can confirm that your suggestion seems to work | 19:03.20 |
kens | OK so I guess Robin or Chris probably needs to try and fix the -- switch | 19:03.51 |
| But for the file permissions, you probably need someone from the application end to make changes | 19:04.10 |
Robin_Watts | hmm. | 19:04.28 |
| ''--" appears to be treated the same as "-+" and almost the same as "-@" | 19:05.02 |
kens | Given this is all (I think) internal to the application, it could probably get away with running Ghostscript with -dNOSAFER, though I woudl not reccomend it | 19:05.03 |
| Robin_Watts: yeah sorry I haven't had the time to read that properly, but yes I think you are right | 19:05.22 |
| If that helps at all | 19:05.26 |
marehr | I'm in contact with the doxygen maintainer and I think any "proper" way that is downwards compatible is acceptable. | 19:05.53 |
kens | The only solution which is going to be backwards compatible is -dNOSAFER. I would urge the maitainer not to do that. | 19:06.48 |
| Because it potentially opens you up to vulnerabilities | 19:07.04 |
Robin_Watts | Using -dNOSAFER will work on old and new gs, but a) it's unsafe, and b) we're probably going to remove it at some point. | 19:07.26 |
kens | A malicious PostScript program could potentially be executed, which could do pretty much anything that is permitted by the user level which Ghostscript is being run at. | 19:07.41 |
marehr | Why is the new command not failing silently in older releases? | 19:07.50 |
kens | Robin_Watts: I don't think we'll remove -dNOSAFER | 19:07.51 |
| marehr: we changed Ghostscritp in 9.50, it now runs with SAFER turned on by default, previously it was off | 19:08.12 |
Robin_Watts | marehr: Cos we lack the required time machine. | 19:08.15 |
kens | Oh and yes, new switches won;t work with old Ghostscript | 19:08.38 |
marehr | so SAFER was already an option in older releases? | 19:08.40 |
Robin_Watts | --permit-file-read is a new command for 9.50 onwards. | 19:08.40 |
| SAFER was an option, now it's the default. | 19:08.52 |
| but the file reading control stuff wasn't present in older versions. | 19:09.11 |
| (so --permit-file-read=... is an unknown flag when fed to old versions). | 19:09.32 |
marehr | ah okay; I just think about the least minimal pain to get this safe. | 19:10.57 |
| The eps file is generated by us so there is technically no threat to us. | 19:11.58 |
Robin_Watts | marehr: Check what version of gs you are running. If >= 9.5 give the --permit-file-read=, I think. | 19:12.05 |
marehr | but maybe there is an even better solution | 19:12.16 |
Robin_Watts | If both the eps and ps files are created by you, then you can argue that -dNOSAFER is safe enough for you. | 19:12.31 |
kens | -dNOSAFER is risky, while its useful to check out stuff, I would not reccomend that anyone use it in production | 19:12.43 |
| Though as Robin says, in a totally closed environment, yes its safe. | 19:13.38 |
Robin_Watts | It means that people might be able to find an exploit through your process to getting you to generate PS files in a way that could get control through gs. | 19:14.40 |
| it means you need to take care in a way that you wouldn't otherwise. | 19:14.56 |
marehr | I'm no maintainer of doxygen so they would need to make that decision. | 19:15.32 |
| But maybe we can look at it and think of another way to achieve the same effect. | 19:16.32 |
| They use it in here: https://github.com/doxygen/doxygen/blob/4fbb61f020a607a96152ba5c00668b9840ea812c/src/formula.cpp#L164-L184 | 19:16.44 |
Robin_Watts | -r%dx%dx should be -r%dx%d (though see kens warning earlier about using -g and -r together) | 19:18.49 |
kens | Hmm, I'd missed that | 19:19.28 |
| You;re quite right of course | 19:19.33 |
Robin_Watts | and replace -- with -dNOSAFER. | 19:19.36 |
kens | Yes the '--' serves no useful purpose in that program, I suspect its been used by cargo cult techniques. | 19:21.02 |
marehr | Okay thank you so far. | 19:30.10 |
kens | NP feel free to drop by and discuss further or have the doxygen guy come round | 19:30.58 |
marehr | So basically 3 different problems: `-r%dx%d`, misuse of `--` and since 9.5 the command needs more control access. | 19:32.11 |
kens | Yeah the %dx is wrong, as Robin says its sheer luck that works | 19:32.35 |
| the -- isn't needed and is what's causing the first problem | 19:32.47 |
| and file control is the new bugbear | 19:32.59 |
marehr | But -r and -g can be used together | 19:35.02 |
kens | Yes, taken toghether they will define a media at a given resolution. In the case of the command line there, it will be quite small. | 19:35.48 |
| But maybe that's correct, I'm not in a position to judge :-) | 19:36.00 |
| <<<Back 1 day (to 2019/11/10) | Forward 1 day (to 2019/11/12)>>> | |