On 18 July 2017 at 09:06, Scott Kostyshak <skost...@lyx.org> wrote: > On Mon, Jul 17, 2017 at 11:53:38PM +0200, Christian Ridderström wrote: > >> A) In LyX 2.2.x, if I open the document, no "converters" are executed. But >> when I attempt to generate the PDF, the document could via e.g. 'R' execute >> arbitrary code on my computer, as if it were my user account. And this >> would happen silently, with no warning etc. >> Correct? > > Yes. > >> But what would happen if I used LyX 2.3.0alphaX and tried to build the >> document? > > Guillaume gave a more detailed answer. The quick answer is that with the > defaults of 2.3.0alpha1-1, you would be prompted before the R code was > run.
Thanks, it's clearer now. Are the settings that needauth remember done: a) per document, regardless of converter b) per document-and-converter pair? c) Also per snippet of code? E.g., what happens if I'm keeping a document on say a network drive. I put some code in the document and execute it. When asked by needauth the first time, I say "always allow for the document". So the next time I execute the document I'm not asked again. What happens now if someone else modifies the code embedded in the document? Will the permission(s) still be active, so that the document executes the new code? Am I warned in any way? If not, perhaps a future improvement could be to be able to approve specific code snippets to be executed. The user-dir could e.g. contain a hash of code snippets that's approved to be run for a certain document. Or perhaps even for all kinds of documents. /Christian PS. Heh.. maybe we could use Git to store approved/disapproved code snippets as it's a content based filesystem.
