[Tex/LaTex] Can filecontents write an external file in a parent directory

external filesfilecontents

Reading Are there any disadvantages of TeX being Turing complete? got me thinking about the potential of .tex files for harbouring malicious code.

The filecontents package is used to write external files from within a LaTeX document. According to my tests, it can be used to write external files in an existing path down the directory tree. In other words, it can create a file in the directory in which the input .tex file is located, or in any of its subdirectories. For instance, the following code works as expected,

\documentclass{article}

\usepackage{filecontents}

\begin{filecontents*}{./myfolder/myfile.txt}
Hello World
\end{filecontents*}

\begin{document}
test
\end{document}

as long as

./myfolder

is a valid path (i.e. the "myfolder" subdirectory already exists):

Is writing an external file up the directory tree possible?

All of my attempts so far have been unfruitful. I'm guessing that it's not possible; otherwise, that would represent a potentially very malicious exploit, without even requiring --shell-escape; malevolent people would have used that exploit long before I asked myself this question, and LaTeX would have become infamous for it.

So, is writing an external file up the directory tree possible or not? If the answer is yes, how do you do it? If the answer is no, what exactly forbids it?

Best Answer

It depends how paranoid you are.

My texmf.cnf (default texlive 2012) says

% Allow TeX \openin, \openout, or \input on filenames starting with `.'
% (e.g., .rhosts) or outside the current tree (e.g., /etc/passwd)?
% a (any)        : any file can be opened.
% r (restricted) : disallow opening "dotfiles".
% p (paranoid)   : as `r' and disallow going to parent directories, and
%                  restrict absolute paths to be under $TEXMFOUTPUT.
openout_any = p
openin_any = a

Related Solutions

[Tex/LaTex] Put from external file

This may meet your needs. I found it at File input and output; I'm reproducing it (somewhat simplified) here:

With this sample fileOut.txt:

first line, with a \TeX{} macro to expand
second line
third line

the code

\documentclass{article}

\newread\file
\openin\file=fileOut.txt

\newcommand{\getnextline}{%
 \read\file to\fileline % Reads a line of the file into \fileline
 \fileline % display it
}

\begin{document}

First line of fileOut.txt: 

\getnextline{}

More text here, then second line: \getnextline{}

Third line: \getnextline{}

Read past end of file? \getnextline{}
\closein\file

\end{document}

produces

enter image description here

I hope this works for you in XeTeX with Arabic text.

Edit to answer the OP's further questions:

Since the example here works, the open and close statements are where they belong. Good programming practice (in any language) would call for checks that the file exists and is readable. I didn't do that since this answer is just a proof of concept. If you are in complete control of your environment and know the file will always be where it's expected, you need not bother.

I don't know what happens if you don't close an open file. I do know that TeX limits the number of files that you can have open at the same time. Some applications aren't good about releasing file handles by themselves, so it's a good habit to close them yourself.

I was curious about what would happen if I read past the end of the file. The example shows that reading a line that's not there just returns an empty string. You need to decide whether that's acceptable in your use case. If not, test for eof and act accordingly.

[Tex/LaTex] Use filecontents everywhere in the document (including after “\end{document}”)

As others have said in the comments, \end{document} causes TeX execution to end by calling \@@end, as we can see in latex.ltx:3900:

\def\enddocument{%
   \let\AtEndDocument\@firstofone
   \@enddocumenthook
   \@checkend{document}%
   \clearpage
   \begingroup
     % 24 lines omitted
   \endgroup
   \deadcycles\z@\@@end}

After \@@end is seen/expanded/processed, TeX simply stops reading the file. The final {filecontents} has no hope of being seen.

Heiko noted in the comments that you can pull a trick to have TeX simply continue on after \end{document}, but beware – hic sunt dracones :)

\documentclass{article}
\usepackage{filecontents}
\begin{document}
hello, world

\makeatletter
\let\@@sean@end\@@end
\let\@@end\begingroup
\end{document}
\begin{filecontents}{d}
d
\end{filecontents}
\@@sean@end

This creates four files: ./{a,b,c,d}.

Heiko notes:

LaTeX does some trickery to get rid of the group for document by the environment code. Otherwise, putting the document in a group would raise memory issues, when TeX wants to restore all local assignments after the group. But since \end{document} is the end of the TeX job, there is no point restoring assignments afterwards.

I'm still willing to say that attempting to engineer this behavior out of LaTeX is a futile effort or, at the very least, effort better well spent asking why the behavior is needed in the first place.

Best Answer

Related Solutions

[Tex/LaTex] Put from external file

[Tex/LaTex] Use filecontents everywhere in the document (including after “\end{document}”)

Related Question