On 17 July 2017 at 00:57, Enrico Forestieri <for...@lyx.org> wrote:
> On Mon, Jul 17, 2017 at 12:49:05AM +0200, Christian Ridderström wrote:
> >
> > Enrico argued that there are other (equally) dangerous converters already
> > in LyX. Then that's something to address. Does it have to be for this
> > release? If that's something to discuss, I can't say. Are many users
> > currently exposed, i.e. likely to be using it? It's bad if we have
> > security holes, but it's not necessarily good to immediately yank
> something
> > out. On the plus side, you as the release manager can decide what's
> needed
> > here as far as I am concerned.
>
> Dear Christian,
>
> I fear that this minted issue is a very well constructed case. At the
> moment there is no way you can risk something if not manually going through
> changing preferences. On the contrary, other features simply require a
> left click with the mouse to cause danger. It is really surprising that
> these features are not considered harmful while minted support is.
> But I am not surprised, because these are called FUD strategies and
> have always been used to muddy the waters and confound people.
Let me see if I understand this correctly, and perhaps it'll unconfuse some
others as well.
Regarding, Minted, which is an alternative to insert pretty program
listings in your document.
At the moment it takes manual (typing) work to cause security issues in
connection with minted.
The "at the moment", likely refer to e.g. LyX 2.2.2 as [1] gives a nice
illustration with screenshots on how to add the option '-shell-escape' to
the converter 'pdflatex'. The downside with adding this option is that now
other LaTeX code in the document has the possibility of doing "bad" stuff
to my system.
Further, my LyX is now configured with this -shell-escpae that will then be
active for all other LyX documents that I build. Oops.
Note: I'd probably deal with the security issue here by using two
separately configured LyX instances that use different '-userdir':s.
It would be nice with a strong visual warning that I'm using the "unsafe"
LyX though, but i guess I could manually configure a different paper colour
in LyX.
If I've understood the proposed patches correctly, they involve making it
easier for the user to enable -shell-escape, and also easier to disable
shell-escape. I'm torn here. Some of the proposed UI-approaches weren't
bad, but I'd probably still worry that we're making it to easy for the user
to do dangerous things.
For Minted I'd then prefer to keep the old behaviour for now and add better
integration when/if minted doesn't need shell-escape.
As for the other dangerous features, presumably related to something called
"needauth", I don't know anything...
I googled and found this [2]:
----
The converters definition syntax (LYX_HOME/lyxrc*) now supports a new
option, 'needauth', to prevent completely automated execution of the
converter, unless LyX acquired explicit consent by the user. This is a new
security feature, useful for converters that are capable of executing
arbitrary code, such as R scripts (used with sweave/knitr), embedded within
LyX documents. The user needs to explicitly grant per-document permission
on the first need for using the converter on each document, unless he/she
checks the "Don't ask again for this document" checkbox in the permission
dialog. The new behavior can be fine-tuned from two new options in the
preferences dialog (see their description below). These also allow for
disabling 'needauth' converters altogether, if desired (default behavior).
----
I don't understand if the 'needauth' is new in LyX 2.3.0 or already existed.
However, and here I'm probably offending people and stepping on mines in a
single paragraph. This seems bad to me.
The text indicates to me that it's possible for a document to store some
kind of setting that allows a converter (here external program) to be run
in an automated manner without my manual intervention or consent.
Supposedly I first had to check "Don't ask again for this document" but
consider the following example:
I create a document with some embedded code to be run by converters. It's
my document, I trust it. Then I e-mail it to a colleague or perhaps my
customer for review. Time goes by and eventually I get the document back
from review, but the review took longer than expected and my next deadline
was yesterday, so I'm in a hurry and build "my" document. Oops, some of
the embedded code is now malicious, but the document still contains my
setting that lets the converters execute... So apologies for not knowing
the details here, but if this is being introduced in LyX 2.3.0 it sounds
like it could be pretty bad and I think the security aspects should be
discussed. {KABOOM} is hopefully the sound effect when someone points me
to the thread where this was all thoroughly discussed and what I described
can't happen...?
Best regards,
Christian
[1] http://brosnanyuen.blogspot.se/2015/09/lxy-and-minted.html
[2] https://wiki.lyx.org/LyX/NewInLyX23
