On 17 July 2017 at 00:57, Enrico Forestieri <for...@lyx.org> wrote: > On Mon, Jul 17, 2017 at 12:49:05AM +0200, Christian Ridderström wrote: > > > > Enrico argued that there are other (equally) dangerous converters already > > in LyX. Then that's something to address. Does it have to be for this > > release? If that's something to discuss, I can't say. Are many users > > currently exposed, i.e. likely to be using it? It's bad if we have > > security holes, but it's not necessarily good to immediately yank > something > > out. On the plus side, you as the release manager can decide what's > needed > > here as far as I am concerned. > > Dear Christian, > > I fear that this minted issue is a very well constructed case. At the > moment there is no way you can risk something if not manually going through > changing preferences. On the contrary, other features simply require a > left click with the mouse to cause danger. It is really surprising that > these features are not considered harmful while minted support is. > But I am not surprised, because these are called FUD strategies and > have always been used to muddy the waters and confound people.
Let me see if I understand this correctly, and perhaps it'll unconfuse some others as well. Regarding, Minted, which is an alternative to insert pretty program listings in your document. At the moment it takes manual (typing) work to cause security issues in connection with minted. The "at the moment", likely refer to e.g. LyX 2.2.2 as [1] gives a nice illustration with screenshots on how to add the option '-shell-escape' to the converter 'pdflatex'. The downside with adding this option is that now other LaTeX code in the document has the possibility of doing "bad" stuff to my system. Further, my LyX is now configured with this -shell-escpae that will then be active for all other LyX documents that I build. Oops. Note: I'd probably deal with the security issue here by using two separately configured LyX instances that use different '-userdir':s. It would be nice with a strong visual warning that I'm using the "unsafe" LyX though, but i guess I could manually configure a different paper colour in LyX. If I've understood the proposed patches correctly, they involve making it easier for the user to enable -shell-escape, and also easier to disable shell-escape. I'm torn here. Some of the proposed UI-approaches weren't bad, but I'd probably still worry that we're making it to easy for the user to do dangerous things. For Minted I'd then prefer to keep the old behaviour for now and add better integration when/if minted doesn't need shell-escape. As for the other dangerous features, presumably related to something called "needauth", I don't know anything... I googled and found this [2]: ---- The converters definition syntax (LYX_HOME/lyxrc*) now supports a new option, 'needauth', to prevent completely automated execution of the converter, unless LyX acquired explicit consent by the user. This is a new security feature, useful for converters that are capable of executing arbitrary code, such as R scripts (used with sweave/knitr), embedded within LyX documents. The user needs to explicitly grant per-document permission on the first need for using the converter on each document, unless he/she checks the "Don't ask again for this document" checkbox in the permission dialog. The new behavior can be fine-tuned from two new options in the preferences dialog (see their description below). These also allow for disabling 'needauth' converters altogether, if desired (default behavior). ---- I don't understand if the 'needauth' is new in LyX 2.3.0 or already existed. However, and here I'm probably offending people and stepping on mines in a single paragraph. This seems bad to me. The text indicates to me that it's possible for a document to store some kind of setting that allows a converter (here external program) to be run in an automated manner without my manual intervention or consent. Supposedly I first had to check "Don't ask again for this document" but consider the following example: I create a document with some embedded code to be run by converters. It's my document, I trust it. Then I e-mail it to a colleague or perhaps my customer for review. Time goes by and eventually I get the document back from review, but the review took longer than expected and my next deadline was yesterday, so I'm in a hurry and build "my" document. Oops, some of the embedded code is now malicious, but the document still contains my setting that lets the converters execute... So apologies for not knowing the details here, but if this is being introduced in LyX 2.3.0 it sounds like it could be pretty bad and I think the security aspects should be discussed. {KABOOM} is hopefully the sound effect when someone points me to the thread where this was all thoroughly discussed and what I described can't happen...? Best regards, Christian [1] http://brosnanyuen.blogspot.se/2015/09/lxy-and-minted.html [2] https://wiki.lyx.org/LyX/NewInLyX23