On Mon, Oct 22, 2012 at 12:24 PM, Pavel Sanda <sa...@lyx.org> wrote:
> Scott Kostyshak wrote:
>> Any thoughts as far as improving security, warning the user, or
>> documentation?
>
> Up to this moment we were trying not to include anything which could be used
> in
> the exec("rm -rf /") way (this was the only reason why gnuplot is not
> supported
> by lyx for example, there was working patch already). I didn't check your
> example but IIRC we used some special parameter for latex which forbids such
> security flaws - can you check whether your example really works?
The example I made was for knitr/Sweave and that works. You are right
that \write18 is disabled by default.
The latex (pdflatex) -> pdf (pdflatex) must be changed to pdflatex
-shell-escape $$i and then it works. This is good.
> knitr/sweave stuff went in without anyone knowing it... IMHO we should either
> disable this by default or ask for the first time.
>
> If we have working mechanism how to notify the user, we can include gnuplot
> support as well.
As annoying as an extra dialog would be, I think we should have one in
this case. I think that if people know that the knitr or Sweave module
is enabled in a document then the burden is on them to realize that
there could potentially be malicious code inside. By "ask for the
first time" do you mean ask for the first time that each document is
open or ask for the first time that the module is used anywhere? I'm
not sure what most people would prefer. I would prefer that on every
new document I open, if it has the Sweave/knitr module enabled, I am
notified (with an option of turning such notifications off
permanently).
Scott
