From 13cf02acfd6ddc85bcd1788dc787d35fe92a2010 Mon Sep 17 00:00:00 2001
From: John MacFarlane <jgm@berkeley.edu>
Date: Fri, 20 Aug 2021 21:43:22 -0700
Subject: [PATCH] MANUAL.txt/security: add a note on security risks of include
directives.
---
MANUAL.txt | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/MANUAL.txt b/MANUAL.txt
index c94b69289..62ee9b593 100644
--- a/MANUAL.txt
+++ b/MANUAL.txt
@@ -6537,21 +6537,26 @@ application, here are some things to keep in mind:
writer could in principle do anything on your file system. Please
audit filters and custom writers very carefully before using them.
-2. If your application uses pandoc as a Haskell library (rather than
+2. Several input formats (including HTML, Org, and RST) support `include`
+ directives that allow the contents of a file to be included in the
+ output. An untrusted attacker could use these to view the contents of
+ files on the file system.
+
+3. If your application uses pandoc as a Haskell library (rather than
shelling out to the executable), it is possible to use it in a mode
that fully isolates pandoc from your file system, by running the
pandoc operations in the `PandocPure` monad. See the document
[Using the pandoc API](https://pandoc.org/using-the-pandoc-api.html)
for more details.
-3. Pandoc's parsers can exhibit pathological performance on some
+4. Pandoc's parsers can exhibit pathological performance on some
corner cases. It is wise to put any pandoc operations under
a timeout, to avoid DOS attacks that exploit these issues.
If you are using the pandoc executable, you can add the
command line options `+RTS -M512M -RTS` (for example) to limit
the heap size to 512MB.
-4. The HTML generated by pandoc is not guaranteed to be safe.
+5. The HTML generated by pandoc is not guaranteed to be safe.
If `raw_html` is enabled for the Markdown input, users can
inject arbitrary HTML. Even if `raw_html` is disabled,
users can include dangerous content in URLs and attributes.