Le 17/07/2017 à 23:53, Christian Ridderström a écrit :
Hi,

I've gotten lots of information from Enrico and Guillaume related to the security "gap", but I'd like to boil it down to simpler questions to make the situation clear to me.

Assume that I've gotten a LyX document by e-mail. It was not created by me, but let's say that the sender of the e-mail appears to be from a colleague whom I trust, asking me to do him a favour and generate a PDF because his computer is acting up. It's urgent of course...

A) In LyX 2.2.x, if I open the document, no "converters" are executed. But when I attempt to generate the PDF, the document could via e.g. 'R' execute arbitrary code on my computer, as if it were my user account. And this would happen silently, with no warning etc.
Correct?

But what would happen if I used LyX 2.3.0alphaX and tried to build the document?
B) Would LyX still allow the document to run arbitrary code on my computer?

Depends on your needauth settings.
* Never (default for a new install): no, and an error message tells you
to change the needauth settings before you can proceed.
* Enable and ask: first you get a message asking to authorise the
converter (every time or only the first time depending on whether you
chose "allow" or "always allow for the document").
* Disabled: like in 2.2.

Note that currently all this and the below appears to hold as well for
gnuplot previews, so one does not need to compile to PDF, just to open a
file (this was not the case in 2.2).


C) Would the execution still happen "silently"?

In two cases:
* Enable and ask: if you previously clicked "always for the document".
* Disabled: it always happens silently.


D) Can the above happen with a document completely created by someone else?

In one case:
* Disabled

(Another one is if the path is ~/Download/new1.lyx and you happen to
have given permanent permissions for a file with the same path three
years earlier, deleted and forgotten about since...)


Guillaume


Reply via email to