Re: branch warnings
Jean-Marc Lasgouttes wrote: Can you check that the following patch helps? Does not seem to help, unfortunately. Jürgen JMarc
Re: Press about LyX
Jerry wrote: Who among the LyX developers has the power to edit the press page, http://www.lyx.org/PressAboutLyX? Daniel has written an article about LyX for the HowToAnswer web site and would like to get it linked from the LyX press page. Surely this benefits the LyX community as well. I've added it. Thanks for the review. Jürgen
Re: branch warnings
What error message do you get ? The same ? Jürgen Spitzmüller sp...@lyx.org a écrit : Jean-Marc Lasgouttes wrote: Can you check that the following patch helps? Does not seem to help, unfortunately. Jürgen JMarc
Re: branch warnings
Jean-Marc Lasgouttes wrote: What error message do you get ? The same ? Looks like it: In file included from ./boost/config.hpp:44:0, from libs/regex/src/c_regex_traits.cpp:22: ./boost/config/stdlib/libstdcpp3.hpp:42:0: warning: BOOST_DISABLE_THREADS redefined [enabled by default] In file included from ./boost/config.hpp:26:0, from libs/regex/src/c_regex_traits.cpp:22: ../config.h:629:0: note: this is the location of the previous definition etc. I've issued ./autogen.sh and reconfigured after applying the patch. I did not do a make clean. Jürgen
Re: $$e not set on import -- import of .Rnw (knitr) fails
On Fri, Oct 19, 2012 at 5:11 AM, Jean-Marc Lasgouttes lasgout...@lyx.org wrote: Le 18/10/2012 16:19, Scott Kostyshak a écrit : The unchangedConverter.log is here (error): http://paste.debian.net/201557/ So the error happens on export to latex because the encoding is not specified. The error happens when importing the Rnw in LyX, which from what I understand currently calls the Rnw - LaTeX (plain) converter and then run tex2lyx. I think I do not understand what you do exactly. Does the same happen with Sweave (I do not have knitr here)? Yes, the same happens with Sweave because the converter Sweave - LaTeX (plain) has a $$e and that string is set to empty because of the following code: command = subst(command, token_encoding, buffer ? buffer-params().encoding().iconvName() : string()); Could you send me an example file and a step by step description of what you actually do? Yes. I've been using the example file that comes with LyX but I think that the same error would occur with trying to import any .Rnw file via Sweave or knitr. 1. Start a clean LyX instance from current master branch (although I have the same problem in branch. I wonder if importing a .Rnw has worked at some point?). 2. File Open Examples button sweave.lyx 3. File Export Export As [tempfolder]/sweaveexample.Rnw (select the Sweave (.Rnw) format) 4. Close the current document (the sweave.lyx file) just to make sure that it's not involved with the import probem. 5. File Import Sweave... [tempfolder]/sweaveexample.Rnw 6. At this point I get an error. Here are steps to show that (1) it is indeed the Sweave - LaTeX (plain) converter that is being used and (2) that setting the $$e variable improves things: 7. Close the error box from (6). 8. Go to Tools Preferences File Handling Converters select Sweave - LaTeX (plain) and in the Converter text box manually delete $$e and insert in it's place ISO-8859-15 so that the converter is now: Rscript --verbose --no-save --no-restore $$s/scripts/lyxsweave.R $$p$$i $$p$$o ISO-8859-15 $$r 9. Click the Modify button. 10. Click the Save button. 11. Repeat step (5). 12. The .Rnw is now partly imported. There will be other problems in the import process which I think are due to tex2lyx, but these problems are different from the Rnw - tex problem I am reporting here. Is the solution to modify lyxsweave.R and lyxknitr.R so that if they are not passed an encoding they should just not change the encoding from the default R one? This would be easy to do. Thanks, Scott
Re: $$e not set on import -- import of .Rnw (knitr) fails
I think it should be easy to ignore the encoding argument if it does not exist, but the problem that confuses me is why importing Rnw is involved with lyxsweave.R or lyxknitr.R. I mean Rnw should be treated as a normal TeX document (the R code should not be executed through Sweave or knitr), except that the code chunks (between = and @) should be treated differently, e.g. as ERT. Regards, Yihui -- Yihui Xie xieyi...@gmail.com Phone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 11:13 AM, Scott Kostyshak skost...@lyx.org wrote: On Fri, Oct 19, 2012 at 5:11 AM, Jean-Marc Lasgouttes lasgout...@lyx.org wrote: Le 18/10/2012 16:19, Scott Kostyshak a écrit : The unchangedConverter.log is here (error): http://paste.debian.net/201557/ So the error happens on export to latex because the encoding is not specified. The error happens when importing the Rnw in LyX, which from what I understand currently calls the Rnw - LaTeX (plain) converter and then run tex2lyx. I think I do not understand what you do exactly. Does the same happen with Sweave (I do not have knitr here)? Yes, the same happens with Sweave because the converter Sweave - LaTeX (plain) has a $$e and that string is set to empty because of the following code: command = subst(command, token_encoding, buffer ? buffer-params().encoding().iconvName() : string()); Could you send me an example file and a step by step description of what you actually do? Yes. I've been using the example file that comes with LyX but I think that the same error would occur with trying to import any .Rnw file via Sweave or knitr. 1. Start a clean LyX instance from current master branch (although I have the same problem in branch. I wonder if importing a .Rnw has worked at some point?). 2. File Open Examples button sweave.lyx 3. File Export Export As [tempfolder]/sweaveexample.Rnw (select the Sweave (.Rnw) format) 4. Close the current document (the sweave.lyx file) just to make sure that it's not involved with the import probem. 5. File Import Sweave... [tempfolder]/sweaveexample.Rnw 6. At this point I get an error. Here are steps to show that (1) it is indeed the Sweave - LaTeX (plain) converter that is being used and (2) that setting the $$e variable improves things: 7. Close the error box from (6). 8. Go to Tools Preferences File Handling Converters select Sweave - LaTeX (plain) and in the Converter text box manually delete $$e and insert in it's place ISO-8859-15 so that the converter is now: Rscript --verbose --no-save --no-restore $$s/scripts/lyxsweave.R $$p$$i $$p$$o ISO-8859-15 $$r 9. Click the Modify button. 10. Click the Save button. 11. Repeat step (5). 12. The .Rnw is now partly imported. There will be other problems in the import process which I think are due to tex2lyx, but these problems are different from the Rnw - tex problem I am reporting here. Is the solution to modify lyxsweave.R and lyxknitr.R so that if they are not passed an encoding they should just not change the encoding from the default R one? This would be easy to do. Thanks, Scott
Re: $$e not set on import -- import of .Rnw (knitr) fails
On Sat, Oct 20, 2012 at 6:17 PM, Yihui Xie x...@yihui.name wrote: I think it should be easy to ignore the encoding argument if it does not exist, but the problem that confuses me is why importing Rnw is involved with lyxsweave.R or lyxknitr.R. I mean Rnw should be treated as a normal TeX document (the R code should not be executed through Sweave or knitr), except that the code chunks (between = and @) should be treated differently, e.g. as ERT. You're right. Now I understand what JMarc was saying -- this converter should not be used for importing. This is the problem. Scott
Re: Noweb/Literate programming Copier problem
I think that should be enough. A pointer to the knitr manual in Help--Specific Manuals--Knitr Manual can be helpful too (I remember Liviu mentioned this once). BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here: https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705 Otherwise users may not be able to open this file (\lyxformat 424 is too high). Thanks! Regards, Yihui -- Yihui Xie xieyi...@gmail.com Phone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Tue, Oct 16, 2012 at 7:58 PM, Scott Kostyshak skost...@lyx.org wrote: OK thanks for the tips. I'm guessing it's OK to update the format in trunk when changing the manuals? I don't think anything in-depth needs to be written there about knitr in the Additional manual because knitr already has a manual for use with LyX. However, it is currently an example. The only thing unmanual-like about knitr.lyx is its length, but in my opinion it is sufficient as is, especially because a lot that is in the Sweave manual applies to knitr. Attached is a patch to update the Additional manual. Is it OK? Thanks, Scott
Re: Noweb/Literate programming Copier problem
On Sat, Oct 20, 2012 at 6:40 PM, Yihui Xie x...@yihui.name wrote: I think that should be enough. A pointer to the knitr manual in Help--Specific Manuals--Knitr Manual can be helpful too (I remember Liviu mentioned this once). Sure, I can do that. Pavel, is that OK? Trunk only? BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here: https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705 Otherwise users may not be able to open this file (\lyxformat 424 is too high). 424 is only for the master branch. knitr.lyx in the 2.0.x branch has format 413. I think this is consistent with the other manuals. Am I missing something? Thanks, Scott Thanks! Regards, Yihui -- Yihui Xie xieyi...@gmail.com Phone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Tue, Oct 16, 2012 at 7:58 PM, Scott Kostyshak skost...@lyx.org wrote: OK thanks for the tips. I'm guessing it's OK to update the format in trunk when changing the manuals? I don't think anything in-depth needs to be written there about knitr in the Additional manual because knitr already has a manual for use with LyX. However, it is currently an example. The only thing unmanual-like about knitr.lyx is its length, but in my opinion it is sufficient as is, especially because a lot that is in the Sweave manual applies to knitr. Attached is a patch to update the Additional manual. Is it OK? Thanks, Scott
Re: Noweb/Literate programming Copier problem
I see. I did not check out the 2.0.x branch. It is indeed 413 there. Thanks! Regards, Yihui -- Yihui Xie xieyi...@gmail.com Phone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 5:53 PM, Scott Kostyshak skost...@lyx.org wrote: On Sat, Oct 20, 2012 at 6:40 PM, Yihui Xie x...@yihui.name wrote: I think that should be enough. A pointer to the knitr manual in Help--Specific Manuals--Knitr Manual can be helpful too (I remember Liviu mentioned this once). Sure, I can do that. Pavel, is that OK? Trunk only? BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here: https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705 Otherwise users may not be able to open this file (\lyxformat 424 is too high). 424 is only for the master branch. knitr.lyx in the 2.0.x branch has format 413. I think this is consistent with the other manuals. Am I missing something? Thanks, Scott
knitr and Sweave security
I do not see knitr and Sweave security discussed anywhere. The Customization guide has 5 paragraphs on security regarding external templates. For example, someone could post a .lyx file asking for help that contains malicious code. I don't always check the list of modules that a document has and sometimes it might be hard to go through the entire file looking at the chunks of code (which might not stand out since they can be collapsed) before compiling. Using R's system command, one can run arbitrary commands, downloading/uploading or deleting information. In the external template support, measures are taken to restrict the access that the user has to the shell. I do not see any options that Rscript can accept to provide more security. Any thoughts as far as improving security, warning the user, or documentation? Thanks, Scott
Re: knitr and Sweave security
I do not see an obvious approach to solve this issue except documenting the potential security problem in the manual. It exists in all R-related applications, including R packages. I have seen people collecting keywords like system() and file.remove(), but that is apparently far from a perfect solution. Education is probably the only way... Regards, Yihui -- Yihui Xie xieyi...@gmail.com Phone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 8:51 PM, Scott Kostyshak skost...@lyx.org wrote: I do not see knitr and Sweave security discussed anywhere. The Customization guide has 5 paragraphs on security regarding external templates. For example, someone could post a .lyx file asking for help that contains malicious code. I don't always check the list of modules that a document has and sometimes it might be hard to go through the entire file looking at the chunks of code (which might not stand out since they can be collapsed) before compiling. Using R's system command, one can run arbitrary commands, downloading/uploading or deleting information. In the external template support, measures are taken to restrict the access that the user has to the shell. I do not see any options that Rscript can accept to provide more security. Any thoughts as far as improving security, warning the user, or documentation? Thanks, Scott
Re: knitr and Sweave security
On Sat, Oct 20, 2012 at 10:18 PM, Yihui Xie x...@yihui.name wrote: I do not see an obvious approach to solve this issue except documenting the potential security problem in the manual. It exists in all R-related applications, including R packages. I have seen people collecting keywords like system() and file.remove(), but that is apparently far from a perfect solution. Education is probably the only way... You mean searching the chunk for the word system? I agree that it would be useless: first - sy second - stem do.call(paste(first,second,sep=),list(command=echo I still have access tempfile.txt)) What if knitr overrides the system function before processing the chunk? My guess is that it's not a good idea: there is probably a way around it, there are many other functions that would need to be blacklisted and overridden, and it would probably cause more bugs than security. But I wanted to throw it out there. Thanks, Scott Regards, Yihui -- Yihui Xie xieyi...@gmail.com Phone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 8:51 PM, Scott Kostyshak skost...@lyx.org wrote: I do not see knitr and Sweave security discussed anywhere. The Customization guide has 5 paragraphs on security regarding external templates. For example, someone could post a .lyx file asking for help that contains malicious code. I don't always check the list of modules that a document has and sometimes it might be hard to go through the entire file looking at the chunks of code (which might not stand out since they can be collapsed) before compiling. Using R's system command, one can run arbitrary commands, downloading/uploading or deleting information. In the external template support, measures are taken to restrict the access that the user has to the shell. I do not see any options that Rscript can accept to provide more security. Any thoughts as far as improving security, warning the user, or documentation? Thanks, Scott
Re: knitr and Sweave security
The blacklist-based solution can stop nothing as you showed, so I think we cannot do much except writing it in the documentation. Regards, Yihui -- Yihui Xie xieyi...@gmail.com Phone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 9:41 PM, Scott Kostyshak skost...@lyx.org wrote: You mean searching the chunk for the word system? I agree that it would be useless: first - sy second - stem do.call(paste(first,second,sep=),list(command=echo I still have access tempfile.txt)) What if knitr overrides the system function before processing the chunk? My guess is that it's not a good idea: there is probably a way around it, there are many other functions that would need to be blacklisted and overridden, and it would probably cause more bugs than security. But I wanted to throw it out there. Thanks, Scott
Re: branch warnings
Jean-Marc Lasgouttes wrote: > Can you check that the following patch helps? Does not seem to help, unfortunately. Jürgen > JMarc
Re: Press about LyX
Jerry wrote: > Who among the LyX developers has the power to edit the press page, > http://www.lyx.org/PressAboutLyX? Daniel has written an article about LyX > for the HowToAnswer web site and would like to get it linked from the LyX > press page. Surely this benefits the LyX community as well. I've added it. Thanks for the review. Jürgen
Re: branch warnings
What error message do you get ? The same ? "Jürgen Spitzmüller"a écrit : >Jean-Marc Lasgouttes wrote: >> Can you check that the following patch helps? > >Does not seem to help, unfortunately. > >Jürgen > >> JMarc
Re: branch warnings
Jean-Marc Lasgouttes wrote: > What error message do you get ? The same ? Looks like it: In file included from ./boost/config.hpp:44:0, from libs/regex/src/c_regex_traits.cpp:22: ./boost/config/stdlib/libstdcpp3.hpp:42:0: warning: "BOOST_DISABLE_THREADS" redefined [enabled by default] In file included from ./boost/config.hpp:26:0, from libs/regex/src/c_regex_traits.cpp:22: ../config.h:629:0: note: this is the location of the previous definition etc. I've issued ./autogen.sh and reconfigured after applying the patch. I did not do a make clean. Jürgen
Re: $$e not set on import --> import of .Rnw (knitr) fails
On Fri, Oct 19, 2012 at 5:11 AM, Jean-Marc Lasgoutteswrote: > Le 18/10/2012 16:19, Scott Kostyshak a écrit : > >> The unchangedConverter.log is here (error): >> http://paste.debian.net/201557/ > > > So the error happens on export to latex because the encoding is not > specified. The error happens when importing the Rnw in LyX, which from what I understand currently calls the Rnw -> LaTeX (plain) converter and then run tex2lyx. > I think I do not understand what you do exactly. Does the same happen with > Sweave (I do not have knitr here)? Yes, the same happens with Sweave because the converter Sweave -> LaTeX (plain) has a $$e and that string is set to empty because of the following code: command = subst(command, token_encoding, buffer ? buffer->params().encoding().iconvName() : string()); > Could you send me an example file and a > step by step description of what you actually do? Yes. I've been using the example file that comes with LyX but I think that the same error would occur with trying to import any .Rnw file via Sweave or knitr. 1. Start a clean LyX instance from current master branch (although I have the same problem in branch. I wonder if importing a .Rnw has worked at some point?). 2. File > Open > Examples button > sweave.lyx 3. File > Export > Export As > [tempfolder]/sweaveexample.Rnw (select the Sweave (.Rnw) format) 4. Close the current document (the sweave.lyx file) just to make sure that it's not involved with the import probem. 5. File > Import > Sweave... > [tempfolder]/sweaveexample.Rnw 6. At this point I get an error. Here are steps to show that (1) it is indeed the Sweave -> LaTeX (plain) converter that is being used and (2) that setting the $$e variable improves things: 7. Close the error box from (6). 8. Go to Tools > Preferences > File Handling > Converters > select Sweave -> LaTeX (plain) and in the Converter text box manually delete "$$e" and insert in it's place "ISO-8859-15" so that the converter is now: Rscript --verbose --no-save --no-restore $$s/scripts/lyxsweave.R $$p$$i $$p$$o ISO-8859-15 $$r 9. Click the Modify button. 10. Click the Save button. 11. Repeat step (5). 12. The .Rnw is now partly imported. There will be other problems in the import process which I think are due to tex2lyx, but these problems are different from the Rnw -> tex problem I am reporting here. Is the solution to modify lyxsweave.R and lyxknitr.R so that if they are not passed an encoding they should just not change the encoding from the default R one? This would be easy to do. Thanks, Scott
Re: $$e not set on import --> import of .Rnw (knitr) fails
I think it should be easy to ignore the encoding argument if it does not exist, but the problem that confuses me is why importing Rnw is involved with lyxsweave.R or lyxknitr.R. I mean Rnw should be treated as a normal TeX document (the R code should not be executed through Sweave or knitr), except that the code chunks (between <<>>= and @) should be treated differently, e.g. as ERT. Regards, Yihui -- Yihui XiePhone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 11:13 AM, Scott Kostyshak wrote: > On Fri, Oct 19, 2012 at 5:11 AM, Jean-Marc Lasgouttes > wrote: >> Le 18/10/2012 16:19, Scott Kostyshak a écrit : >> >>> The unchangedConverter.log is here (error): >>> http://paste.debian.net/201557/ >> >> >> So the error happens on export to latex because the encoding is not >> specified. > > The error happens when importing the Rnw in LyX, which from what I > understand currently calls the Rnw -> LaTeX (plain) converter and then > run tex2lyx. > >> I think I do not understand what you do exactly. Does the same happen with >> Sweave (I do not have knitr here)? > > Yes, the same happens with Sweave because the converter Sweave -> > LaTeX (plain) has a $$e and that string is set to empty because of the > following code: > command = subst(command, token_encoding, buffer ? > buffer->params().encoding().iconvName() : string()); > >> Could you send me an example file and a >> step by step description of what you actually do? > > Yes. I've been using the example file that comes with LyX but I think > that the same error would occur with trying to import any .Rnw file > via Sweave or knitr. > > 1. Start a clean LyX instance from current master branch (although I > have the same problem in branch. I wonder if importing a .Rnw has > worked at some point?). > 2. File > Open > Examples button > sweave.lyx > 3. File > Export > Export As > [tempfolder]/sweaveexample.Rnw (select > the Sweave (.Rnw) format) > 4. Close the current document (the sweave.lyx file) just to make sure > that it's not involved with the import probem. > 5. File > Import > Sweave... > [tempfolder]/sweaveexample.Rnw > 6. At this point I get an error. > > Here are steps to show that (1) it is indeed the Sweave -> LaTeX > (plain) converter that is being used and (2) that setting the $$e > variable improves things: > 7. Close the error box from (6). > 8. Go to Tools > Preferences > File Handling > Converters > select > Sweave -> LaTeX (plain) and in the Converter text box manually delete > "$$e" and insert in it's place "ISO-8859-15" so that the converter is > now: > Rscript --verbose --no-save --no-restore $$s/scripts/lyxsweave.R > $$p$$i $$p$$o ISO-8859-15 $$r > 9. Click the Modify button. > 10. Click the Save button. > 11. Repeat step (5). > 12. The .Rnw is now partly imported. There will be other problems in > the import process which I think are due to tex2lyx, but these > problems are different from the Rnw -> tex problem I am reporting > here. > > Is the solution to modify lyxsweave.R and lyxknitr.R so that if they > are not passed an encoding they should just not change the encoding > from the default R one? This would be easy to do. > > Thanks, > > Scott
Re: $$e not set on import --> import of .Rnw (knitr) fails
On Sat, Oct 20, 2012 at 6:17 PM, Yihui Xiewrote: > I think it should be easy to ignore the encoding argument if it does > not exist, but the problem that confuses me is why importing Rnw is > involved with lyxsweave.R or lyxknitr.R. I mean Rnw should be treated > as a normal TeX document (the R code should not be executed through > Sweave or knitr), except that the code chunks (between <<>>= and @) > should be treated differently, e.g. as ERT. You're right. Now I understand what JMarc was saying -- this converter should not be used for importing. This is the problem. Scott
Re: Noweb/Literate programming Copier problem
I think that should be enough. A pointer to the knitr manual in "Help-->Specific Manuals-->Knitr Manual" can be helpful too (I remember Liviu mentioned this once). BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here: https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705 Otherwise users may not be able to open this file (\lyxformat 424 is too high). Thanks! Regards, Yihui -- Yihui XiePhone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Tue, Oct 16, 2012 at 7:58 PM, Scott Kostyshak wrote: > > OK thanks for the tips. I'm guessing it's OK to update the format in > trunk when changing the manuals? > > I don't think anything in-depth needs to be written there about knitr > in the Additional manual because knitr already has a "manual" for use > with LyX. However, it is currently an example. The only thing > unmanual-like about knitr.lyx is its length, but in my opinion it is > sufficient as is, especially because a lot that is in the Sweave > manual applies to knitr. > > Attached is a patch to update the Additional manual. Is it OK? > > Thanks, > > Scott
Re: Noweb/Literate programming Copier problem
On Sat, Oct 20, 2012 at 6:40 PM, Yihui Xiewrote: > I think that should be enough. A pointer to the knitr manual in > "Help-->Specific Manuals-->Knitr Manual" can be helpful too (I > remember Liviu mentioned this once). Sure, I can do that. Pavel, is that OK? Trunk only? > BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here: > https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705 > Otherwise users may not be able to open this file (\lyxformat 424 is > too high). 424 is only for the master branch. knitr.lyx in the 2.0.x branch has format 413. I think this is consistent with the other manuals. Am I missing something? Thanks, Scott > Thanks! > > Regards, > Yihui > -- > Yihui Xie > Phone: 515-294-2465 Web: http://yihui.name > Department of Statistics, Iowa State University > 2215 Snedecor Hall, Ames, IA > > > On Tue, Oct 16, 2012 at 7:58 PM, Scott Kostyshak wrote: >> >> OK thanks for the tips. I'm guessing it's OK to update the format in >> trunk when changing the manuals? >> >> I don't think anything in-depth needs to be written there about knitr >> in the Additional manual because knitr already has a "manual" for use >> with LyX. However, it is currently an example. The only thing >> unmanual-like about knitr.lyx is its length, but in my opinion it is >> sufficient as is, especially because a lot that is in the Sweave >> manual applies to knitr. >> >> Attached is a patch to update the Additional manual. Is it OK? >> >> Thanks, >> >> Scott
Re: Noweb/Literate programming Copier problem
I see. I did not check out the 2.0.x branch. It is indeed 413 there. Thanks! Regards, Yihui -- Yihui XiePhone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 5:53 PM, Scott Kostyshak wrote: > On Sat, Oct 20, 2012 at 6:40 PM, Yihui Xie wrote: >> I think that should be enough. A pointer to the knitr manual in >> "Help-->Specific Manuals-->Knitr Manual" can be helpful too (I >> remember Liviu mentioned this once). > > Sure, I can do that. Pavel, is that OK? Trunk only? > >> BTW, can you export knitr.lyx to LyX2.0 format? Just like I did here: >> https://github.com/yihui/lyx/commit/68c4a7fa78a1ac7e317c783cb415fc21a5ca2705 >> Otherwise users may not be able to open this file (\lyxformat 424 is >> too high). > > 424 is only for the master branch. knitr.lyx in the 2.0.x branch has > format 413. I think this is consistent with the other manuals. Am I > missing something? > > Thanks, > > Scott >
knitr and Sweave security
I do not see knitr and Sweave security discussed anywhere. The Customization guide has 5 paragraphs on security regarding external templates. For example, someone could post a .lyx file asking for help that contains malicious code. I don't always check the list of modules that a document has and sometimes it might be hard to go through the entire file looking at the chunks of code (which might not stand out since they can be collapsed) before compiling. Using R's "system" command, one can run arbitrary commands, downloading/uploading or deleting information. In the external template support, measures are taken to restrict the access that the user has to the shell. I do not see any options that Rscript can accept to provide more security. Any thoughts as far as improving security, warning the user, or documentation? Thanks, Scott
Re: knitr and Sweave security
I do not see an obvious approach to solve this issue except documenting the potential security problem in the manual. It exists in all R-related applications, including R packages. I have seen people collecting keywords like system() and file.remove(), but that is apparently far from a perfect solution. Education is probably the only way... Regards, Yihui -- Yihui XiePhone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 8:51 PM, Scott Kostyshak wrote: > I do not see knitr and Sweave security discussed anywhere. The > Customization guide has 5 paragraphs on security regarding external > templates. > > For example, someone could post a .lyx file asking for help that > contains malicious code. I don't always check the list of modules that > a document has and sometimes it might be hard to go through the entire > file looking at the chunks of code (which might not stand out since > they can be collapsed) before compiling. Using R's "system" command, > one can run arbitrary commands, downloading/uploading or deleting > information. > > In the external template support, measures are taken to restrict the > access that the user has to the shell. > > I do not see any options that Rscript can accept to provide more security. > > Any thoughts as far as improving security, warning the user, or documentation? > > Thanks, > > Scott
Re: knitr and Sweave security
On Sat, Oct 20, 2012 at 10:18 PM, Yihui Xiewrote: > I do not see an obvious approach to solve this issue except > documenting the potential security problem in the manual. It exists in > all R-related applications, including R packages. I have seen people > collecting keywords like system() and file.remove(), but that is > apparently far from a perfect solution. Education is probably the only > way... You mean searching the chunk for the word "system"? I agree that it would be useless: first <- "sy" second <- "stem" do.call(paste(first,second,sep=""),list(command="echo I still have access >> tempfile.txt")) What if knitr overrides the "system" function before processing the chunk? My guess is that it's not a good idea: there is probably a way around it, there are many other functions that would need to be blacklisted and overridden, and it would probably cause more bugs than security. But I wanted to throw it out there. Thanks, Scott > > Regards, > Yihui > -- > Yihui Xie > Phone: 515-294-2465 Web: http://yihui.name > Department of Statistics, Iowa State University > 2215 Snedecor Hall, Ames, IA > > > On Sat, Oct 20, 2012 at 8:51 PM, Scott Kostyshak wrote: >> I do not see knitr and Sweave security discussed anywhere. The >> Customization guide has 5 paragraphs on security regarding external >> templates. >> >> For example, someone could post a .lyx file asking for help that >> contains malicious code. I don't always check the list of modules that >> a document has and sometimes it might be hard to go through the entire >> file looking at the chunks of code (which might not stand out since >> they can be collapsed) before compiling. Using R's "system" command, >> one can run arbitrary commands, downloading/uploading or deleting >> information. >> >> In the external template support, measures are taken to restrict the >> access that the user has to the shell. >> >> I do not see any options that Rscript can accept to provide more security. >> >> Any thoughts as far as improving security, warning the user, or >> documentation? >> >> Thanks, >> >> Scott
Re: knitr and Sweave security
The blacklist-based solution can stop nothing as you showed, so I think we cannot do much except writing it in the documentation. Regards, Yihui -- Yihui XiePhone: 515-294-2465 Web: http://yihui.name Department of Statistics, Iowa State University 2215 Snedecor Hall, Ames, IA On Sat, Oct 20, 2012 at 9:41 PM, Scott Kostyshak wrote: > > You mean searching the chunk for the word "system"? I agree that it > would be useless: > first <- "sy" > second <- "stem" > do.call(paste(first,second,sep=""),list(command="echo I still have > access >> tempfile.txt")) > > What if knitr overrides the "system" function before processing the chunk? > My guess is that it's not a good idea: there is probably a way around > it, there are many other functions that would need to be blacklisted > and overridden, and it would probably cause more bugs than security. > But I wanted to throw it out there. > > Thanks, > > Scott