Reading Are there any disadvantages of TeX being Turing complete? got me thinking about the potential of .tex files for harbouring malicious code.
The filecontents
package is used to write external files from within a LaTeX document. According to my tests, it can be used to write external files in an existing path down the directory tree. In other words, it can create a file in the directory in which the input .tex file is located, or in any of its subdirectories. For instance, the following code works as expected,
\documentclass{article}
\usepackage{filecontents}
\begin{filecontents*}{./myfolder/myfile.txt}
Hello World
\end{filecontents*}
\begin{document}
test
\end{document}
as long as
./myfolder
is a valid path (i.e. the "myfolder" subdirectory already exists):
Is writing an external file up the directory tree possible?
All of my attempts so far have been unfruitful. I'm guessing that it's not possible; otherwise, that would represent a potentially very malicious exploit, without even requiring --shell-escape
; malevolent people would have used that exploit long before I asked myself this question, and LaTeX would have become infamous for it.
So, is writing an external file up the directory tree possible or not? If the answer is yes, how do you do it? If the answer is no, what exactly forbids it?
Best Answer
It depends how paranoid you are.
My texmf.cnf (default texlive 2012) says