Le 19/07/2017 à 16:47, Richard Heck a écrit :
On 07/19/2017 05:06 AM, Pavel Sanda wrote:
Christian Ridderström wrote:
I just did a test with gnuplot. In the LyX settings I had unchecked 'Forbid
of use of needauth converters' and unchecked 'Use needauth option'. Then I
opened a LyX doc with a gnuplot script. Result: LyX tried to run the script
due to the preview, without asking or alerting me.
In my opinion this demonstrates a case where the security is _not_ good
enough, as I don't think it'd very difficult to trick someone into
unchecking these boxes.
I think at the end it boils down to the question whether we rather want
LyX for unaware users who can't handle any responsibility or we want
to allow advanced features for more hackish crowd of people.
I obviously stay in the hackish campground ground but understand your
fear for the poor.
I would offer two quick options here:
1. Rename 'Forbid of use of needauth converters' to something scary
so users have red flag.
2. Let the machinery alive, but move the flags from UI to RC files,
and forcing people to edit them, so they have time to think
what they are doing instead of randomly clicking.
I've suggested this, too. Just to be clear, you just have to remove the
UI for this setting. It
can stay in the same file, which can just be edited.
Not sure if what is being discussed is for 2.3 or for an ideal
implementation, but ideally what about:
1. No "needauth" preferences (do not allow needauth from being disabled).
2. The dialog has a checkbox "I have read the above and I understand the
consequences", unchecked by default, which one has to check before
clicking "allow" or "always allow for the document". This checkbox is
remembered per-user (this replaces the "forbid use of needauth" option).
3. For command-line only (without GUI), have a command-line options
--needauth=[never(default)|always|ask].
Assuming other principles are implemented (visibility, revocability,
etc.), then IMO 2. is all we need as a secure GUI, and 3. all that is
needed for a secure command line (for a needauth implementation that
satisfies other principles).
