On 07/19/2017 10:37 AM, Enrico Forestieri wrote: > On Tue, Jul 18, 2017 at 07:26:23PM -0400, Richard Heck wrote: >> On 07/18/2017 09:56 AM, Jürgen Spitzmüller wrote: >>> Am Dienstag, den 18.07.2017, 15:39 +0200 schrieb Jean-Marc Lasgouttes: >>>> Whi, not, maybe along with the names of the converters (features) >>>> Sweave/gnuplot/minted present in current document and accepted by the >>>> user. >>> I would add a verbose tooltip when hovering the icon, something like >>> >>> ''' >>> NOTE: Shell escape access granted. >>> >>> For this document, access to the -shell-escape feature has been granted >>> for the following converters: ... >>> >>> Note that this is a potential security risk. Use only if you trust the >>> source of this document. Please refer to sec. xx of the User Guide for >>> details. >>> >>> To withdraw shell escape access, press this icon. >>> ''' >> This seems a reasonable solution to me. It is not perfect, but nothing is. >> >> As I see it, the issue is that there are actually a wide variety of >> reasons that users might want to >> enable -shell-escape for various converters. As LyX currently functions, >> the only way to do this >> is to add this to the converter itself. This is dangerous from our point >> of view NOT so much (or >> only) because it is intrinsically dangerous, but rather because it it is >> the kind of thing that is too >> easy to "do and forget". Or, to put it differently: It is a serious >> hassle to enable -shell-escape as >> things are, and that invites people to do it and leave it. And that >> really is a security risk. > The attached patch takes into account all of these ideas. As a disclaimer, > note that I am providing it only because I am now familiar with this part > of the code and can quickly come up with a patch. But I am not endorsing it. > > The user can choose to allow execution of external programs for a given > document through the document settings. However, this is a property that > only holds on the computer used to edit the document. There is no way > to send out a document with the shell-escape thing activated. > > Once activated, the user is prompted for confirmation each time a > latex backend is used, unless he decides to always allow execution for > a particular document. A document marked as requiring shell escape > privileges is characterized by a red icon on the status bar. > > The shell-escape privilege can be revoked through the document settings. > Given the peculiarity that this cannot be a mere document property but > rather a property tied to both document and computer, the check box > works differently from all other check boxes. Indeed, checking or > unchecking it should not make dirty the document. So, the privilege > is given or revoked instantly when checking or unchecking, without the > need of confirming the change. > > The patch also nags the user when -shell-escape is added to a latex > backend, suggesting to use the support provided by LyX instead of > allowing this privilege to any document. This is all we can do in > this case to try to increase security, because we should't change > users' choices. > > When a document with shell-escape privileges is moved to a new location > or removed, it loses the privilege. So, if a new file with same name is > later placed there, it doesn't inherit the privilege.
Thanks for this, Enrico. Let me just ask one question about it: Is the mechanism here per-document or per-document and also per-converter? That is, suppose there was a document that contained R code and minted code. Would one be warned about both or would one only be asked once? If the the latter, how hard would it be to change that? Oh, maybe another thought: Could clicking the 'warning' icon easily be used to disable execution? Just a UI thought there. Richard
