On Sun, Oct 21, 2012 at 3:08 AM, Yihui Xie <x...@yihui.name> wrote: > I learned \write18 from a quick search: > http://stackoverflow.com/questions/3252957/how-to-execute-shell-script-from-latex
I didn't know about that. Then yes, if LyX allows security problems like that from LaTeX I should not be worrying about Sweave and knitr. Here's another useful discussion http://www.texdev.net/2009/10/06/what-does-write18-mean/ And since then there are now options to enable/disable write18. See, for example http://docs.miktex.org/manual/pdftex.html --disable-write18 Disable the \write18{command} construct. But I guess this is the job of the user and depends on the LaTeX distribution installed so it's not LyX's jurisdiction. > Security problems exist in most software packages. In this case > (knitr/Sweave), a pure technical solution does not seem to be > possible... Sometimes I do want to execute system() commands. Same here. Best, Scott > Regards, > Yihui > -- > Yihui Xie <xieyi...@gmail.com> > Phone: 515-294-2465 Web: http://yihui.name > Department of Statistics, Iowa State University > 2215 Snedecor Hall, Ames, IA > > > On Sun, Oct 21, 2012 at 1:54 AM, Liviu Andronic <landronim...@gmail.com> > wrote: >> On Sun, Oct 21, 2012 at 6:55 AM, Yihui Xie <x...@yihui.name> wrote: >>> The blacklist-based solution can stop nothing as you showed, so I >>> think we cannot do much except writing it in the documentation. >>> >> What about an MS Excel style 'Do not execute scripts' option or >> dialogue? Basically we could introduce two modes when Sweave/knitr >> module is loaded: >> - Run scripts, all works as it does now. >> - Do not run scripts, where the scripty modules are being disabled (or >> similar) and some flag is being displayed somewhere, perhaps in the >> status bar (or the WM title bar). >> >> If scripts are detected then a dialogue pops up with a warning and >> asks the user how to proceed. This should provide a minimum of >> security. >> >> What do you think of this? Regards >> Liviu >> >> PS While we're on the subject of security, is it not possible to >> simply use LaTeX to write malicious code?