[Tex/LaTex] Equivalent to TeXLive’s –restricted-shell-escape for MiKTeX

miktexmintedSecurityshell-escapewindows

I often work on Windows, so need to use MiKTeX. I recently found the minted package, which needs to call the external command pygmentize. I currently call xelatex with the -shell-escape option to support this, but I'd rather not give malicious latex files complete access to my system. TeXLive has the --restricted-shell-escape option, which is what I want, but it doesn't seem to be available on MiKTeX. I did find a passing reference to --shell-restricted, but I don't know if that's what I want, and if it is what I want I don't know how to use it.

Is --shell-restricted a way to tell XeLaTeX to run pygmentize but not del /F /S /Q C:\*.*? If so, how do I use it? If not, is there such a way and how do I use it? If you can, could you also link me to the official documentation on the subject?

Best Answer

MiKTeX includes the option --restrict-write18 to allow a restricted set of commands to be run: this is enabled by default with an up-to-date MiKTeX. However, to allow this to work with minted there are two additional issues. First, you need to add pygmentize to the list of allowed commands: a separate question on this (probably for the 'general case') would be best. Secondly, minted checks for fully-enabled \write18 before it will even run: circumventing this would require a modified version of the package or a request to the package author to change the code.

As an aside, TeX Live runs fine on Windows, but of course you'd still have to deal with the two caveats.

Related Solutions

[Tex/LaTex] How to enable write 18 on a MikTeX installation

A similar question came up recently in a German user forum. The user found the answer in the end with help of this link

You can enable write18 by writing

initexmf --edit-config-file=miktex\config\pdflatex.ini

in DOS. You can get to the DOS window by hitting the windows Start button, click on "run" and write "cmd" (without the quotes obviously, this might also be slightly different for win7, I think there you can write cmd right in the search line that comes up after hitting the start button).

It might as well also work to do Start->run and then paste the above line right into this little run window (see below)

the pdflatex.ini should open in an editor and you can enter

EnableWrite18=t

save and close the file. Now it should be permanently enabled with pdflatex.

Another way is to pass -enable-write18 to pdflatex. This can usually be done in the editor of your choice. For example in TeXnicCenter it looks something like:

Path of the compiler:

C:\...\pdflatex.exe (this is set already)

Arguments passed to the compiler

-interaction=nonstopmode -enable-write18 %tm

enter image description here

Update:

To do this on WinEdt, do the following:

Go to Options and click on Execution Modes (See image below)
Enter --enable-write18 under the pdflatex Accessories under switches as shown in the diagram below.

[Tex/LaTex] How to determine what items to add to the “restricted-shell-escape” safe list

I would avoid modifying the list of programs allowed to run in the restricted shell. These are either programs that don't write out any output (and when output redirection is requested they don't work in the restricted shell escape setting) or respect the openout_any setting in texmf.cnf.

As far as the present problem is concerned, running pdflatex with shell escape enabled on the file filename.tex consists in using the command line

pdflatex -shell-escape filename

(no quotes).

How to setup a front-end to run this command depends on the front-end itself. With TeXShop, for example, one can define a new engine. In your ~/Library/TeXShop/Engines folder duplicate XeLaTeX.engine and call it pdflatexshell.engine. Modify the file (with TeXShop itself) to read

#!/bin/tcsh

set path= (/usr/texbin /usr/local/bin $path)
pdflatex -shell-escape "$1"

and, for a file you want to compile with unrestricted shell escape, write at its beginning

% !TEX TS-program = pdflatexshell

so that the engine will be automatically selected on opening.

What to do with other front-ends or LyX will vary.

If you really want to use the restricted shell escape, you have to enable

uname
rm
echo
latex

The program list can be determined by searching for runsystem in the .log file.

Best Answer

Related Solutions

[Tex/LaTex] How to enable write 18 on a MikTeX installation

Update:

[Tex/LaTex] How to determine what items to add to the “restricted-shell-escape” safe list

Related Question