On 07/18/2017 09:56 AM, Jürgen Spitzmüller wrote: > Am Dienstag, den 18.07.2017, 15:39 +0200 schrieb Jean-Marc Lasgouttes: >> Whi, not, maybe along with the names of the converters (features) >> Sweave/gnuplot/minted present in current document and accepted by the >> user. > I would add a verbose tooltip when hovering the icon, something like > > ''' > NOTE: Shell escape access granted. > > For this document, access to the -shell-escape feature has been granted > for the following converters: ... > > Note that this is a potential security risk. Use only if you trust the > source of this document. Please refer to sec. xx of the User Guide for > details. > > To withdraw shell escape access, press this icon. > '''
This seems a reasonable solution to me. It is not perfect, but nothing is. As I see it, the issue is that there are actually a wide variety of reasons that users might want to enable -shell-escape for various converters. As LyX currently functions, the only way to do this is to add this to the converter itself. This is dangerous from our point of view NOT so much (or only) because it is intrinsically dangerous, but rather because it it is the kind of thing that is too easy to "do and forget". Or, to put it differently: It is a serious hassle to enable -shell-escape as things are, and that invites people to do it and leave it. And that really is a security risk. The needauth mechanism provides some protection, but it seems to introduce its own risks. The current proposal is very much addressed to that problem, and I think something like it should be workable. But I'd make one more suggestion: Every time a user opens a document for which this sort of thing will be enabled, we pop a warning before we do anything. I.e., we do NOT just run gnuplot in the background, but we say something like what Jürgen had above, with buttons offering either to proceed or not. Doing this once per document per session does not seem too much to ask. (It would streamline things a bit, too, if we could 'inherit' this setting for child documents. So you would not have to keep clicking through if there were a lot of children.) Richard
