[slowly catching up...] On 18/07/2017 19:46, Christian Ridderström wrote:
I just did a test with gnuplot. In the LyX settings I had unchecked 'Forbid of use of needauth converters' and unchecked 'Use needauth option'. Then I opened a LyX doc with a gnuplot script. Result: LyX tried to run the script due to the preview, without asking or alerting me.
that's the purpose of the "Use needauth option", namely, allow for a workflow without burdens for those who know what they're doing, disabling needauth (which you did) just gets rid of the security measures, opens up your firewall, turns off security etc., compare with these other common software like a firewall or antivirus, if I go the its admin panel and turn it off... What if, when unchecking that option, LyX would have popped up another dialog with a HUGE SECURITY warning ? I'm now feeling this would be needed.
In my opinion this demonstrates a case where the security is _not_ good enough, as I don't think it'd very difficult to trick someone into unchecking these boxes.
aware of the limitations of needauth, the final remedy was ...
- ?
sandboxing, as discussed in http://www.lyx.org/trac/ticket/10481, where there's a few notes about how to possibly design a portable mechanism across Win, Mac and Lin. Thanks, T.
