diff options
| author | John MacFarlane <jgm@berkeley.edu> | 2021-08-21 15:30:13 -0700 |
|---|---|---|
| committer | John MacFarlane <jgm@berkeley.edu> | 2021-08-28 22:31:42 -0700 |
| commit | d6d7c9620abddc5e5e45450c091bc8a73bac8f66 (patch) | |
| tree | 2dd3e01150a5611f5bb86cd08239de7f5eca3106 /MANUAL.txt | |
| parent | b76796eae8ce842f8414cca8cd8e3b55be513694 (diff) | |
| download | pandoc-d6d7c9620abddc5e5e45450c091bc8a73bac8f66.tar.gz | |
Add `--sandbox` option.
+ Add sandbox feature for readers. When this option is used,
readers and writers only have access to input files (and
other files specified directly on command line). This restriction
is enforced in the type system.
+ Filters, PDF production, custom writers are unaffected. This
feature only insulates the actual readers and writers, not
the pipeline around them in Text.Pandoc.App.
+ Note that when `--sandboxed` is specified, readers won't have
access to the resource path, nor will anything have access to
the user data directory.
+ Add module Text.Pandoc.Class.Sandbox, defining
`sandbox`. Exported via Text.Pandoc.Class. [API change]
Closes #5045.
Diffstat (limited to 'MANUAL.txt')
| -rw-r--r-- | MANUAL.txt | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/MANUAL.txt b/MANUAL.txt index 5dc35c8ff..75e74f1cd 100644 --- a/MANUAL.txt +++ b/MANUAL.txt @@ -730,6 +730,16 @@ header when requesting a document from a URL: document in standalone mode. If no *VAL* is specified, the key will be given the value `true`. +`--sandbox` + +: Run pandoc in a sandbox, limiting IO operations in readers + and writers to reading the files specified on the command line. + Note that this option does not limit IO operations by + filters or in the production of PDF documents. But it does + offer security against, for example, disclosure of files + through the use of `include` directives. Anyone using + pandoc on untrusted user input should use this option. + `-D` *FORMAT*, `--print-default-template=`*FORMAT* : Print the system default template for an output *FORMAT*. (See `-t` @@ -6543,7 +6553,8 @@ application, here are some things to keep in mind: 2. Several input formats (including HTML, Org, and RST) support `include` directives that allow the contents of a file to be included in the output. An untrusted attacker could use these to view the contents of - files on the file system. + files on the file system. (Using the `--sandbox` option can + protect against this threat.) 3. If your application uses pandoc as a Haskell library (rather than shelling out to the executable), it is possible to use it in a mode |