Re: spreadsheet capability?

[Helge Hafting]

On 15. juni 2010 00:17, Pavel Sanda wrote:
[...]

i'm all for having support of gnumeric/excel/oofice. but we are talking
about delicate issue - before adding ssconvert we should be pretty
confident that it only produces .tex files without running any
additional code/script in the source files. (question on gnumeric devs?)

apart from that the original patch was pretty clear, so i dont see any other
hindrances.


I got this answer from Jean Bréfort on the gnumeric list:

 At least for now, ssconvert does not execute any macro.

So ssconvert don't run macros. It can recalculate cells, but will only 
do that if you use the --recalc parameter.


Helge Hafting

Re: spreadsheet capability?

[Pavel Sanda]

Helge Hafting wrote:
  At least for now, ssconvert does not execute any macro.

 So ssconvert don't run macros. It can recalculate cells, but will only do 
 that if you use the --recalc parameter.

ok then. can you repost the patch, i will put it into 2.0.

pavel

Re: spreadsheet capability?

[Helge Hafting]

On 15. juni 2010 00:17, Pavel Sanda wrote:
[...]

i'm all for having support of gnumeric/excel/oofice. but we are talking
about delicate issue - before adding ssconvert we should be pretty
confident that it only produces .tex files without running any
additional code/script in the source files. (question on gnumeric devs?)

apart from that the original patch was pretty clear, so i dont see any other
hindrances.


I got this answer from Jean Bréfort on the gnumeric list:

> At least for now, ssconvert does not execute any macro.

So ssconvert don't run macros. It can recalculate cells, but will only 
do that if you use the --recalc parameter.


Helge Hafting

Re: spreadsheet capability?

[Pavel Sanda]

Helge Hafting wrote:
> > At least for now, ssconvert does not execute any macro.
>
> So ssconvert don't run macros. It can recalculate cells, but will only do 
> that if you use the --recalc parameter.

ok then. can you repost the patch, i will put it into 2.0.

pavel

Re: spreadsheet capability?

[Helge Hafting]

On 15. juni 2010 00:17, Pavel Sanda wrote:
[...]

i'm all for having support of gnumeric/excel/oofice. but we are talking
about delicate issue - before adding ssconvert we should be pretty
confident that it only produces .tex files without running any
additional code/script in the source files. (question on gnumeric devs?)

apart from that the original patch was pretty clear, so i dont see any other
hindrances.


I asked on the gnumeric list. We'll see.

Helge Hafting

Re: spreadsheet capability?

[Helge Hafting]

On 15. juni 2010 00:17, Pavel Sanda wrote:
[...]

i'm all for having support of gnumeric/excel/oofice. but we are talking
about delicate issue - before adding ssconvert we should be pretty
confident that it only produces .tex files without running any
additional code/script in the source files. (question on gnumeric devs?)

apart from that the original patch was pretty clear, so i dont see any other
hindrances.


I asked on the gnumeric list. We'll see.

Helge Hafting

Re: spreadsheet capability?

[Helge Hafting]

On 29. mai 2010 01:56, Pavel Sanda wrote:

Liviu Andronic wrote:

On Fri, May 28, 2010 at 8:23 PM, Guenter Mildemi...@users.berlios.de  wrote:

However, the Gnumeric spreadsheet has a LaTeX export feature, so one
could possibly write an external inset wrapper for it.


Apparently there is a patch [1] by Helge Hafting. More info on the
subject in this thread [2] and on the wiki [3].
Liviu

PS Would the devels consider including the patch in LyX 2.0?


please do you have any idea whether is safe to use blindly ssconvert or gnumeric
in the sense that attacker can't write eg some excel macro-virus which would
get executed via ssconvert or gnumeric?

I don't know if ssconvert supports excel macros well enough to run a 
virus. I though macro viruses generally abused a visual basic interface 
that doesn't even exist on linux.


But there is a very simple solution, if safety is the reason to not 
include my patch:


I can change it so it only support gnumeric files, not excel files. 
ssconvert can convert oocalc, excel and gnumeric. But LyX can stick with 
the .gnumeric extension in order to be safe. I don't think gnumeric has 
such vulnerabilities designed into it.


Would that be interesting?


we have already rejected gnuplot support because of the fact that somebody
could embed script like ! rm -rf / into .lyx file...

Re: spreadsheet capability?

[Pavel Sanda]

Helge Hafting wrote:
 please do you have any idea whether is safe to use blindly ssconvert or 
 gnumeric
 in the sense that attacker can't write eg some excel macro-virus which 
 would
 get executed via ssconvert or gnumeric?

 I don't know if ssconvert supports excel macros well enough to run a virus. 
 I though macro viruses generally abused a visual basic interface that 
 doesn't even exist on linux.

 But there is a very simple solution, if safety is the reason to not include 
 my patch:

 I can change it so it only support gnumeric files, not excel files. 
 ssconvert can convert oocalc, excel and gnumeric. But LyX can stick with 
 the .gnumeric extension in order to be safe. I don't think gnumeric has 
 such vulnerabilities designed into it.

 Would that be interesting?

i'm all for having support of gnumeric/excel/oofice. but we are talking
about delicate issue - before adding ssconvert we should be pretty
confident that it only produces .tex files without running any
additional code/script in the source files. (question on gnumeric devs?)

apart from that the original patch was pretty clear, so i dont see any other
hindrances.

pavel

Re: spreadsheet capability?

[Helge Hafting]

On 29. mai 2010 01:56, Pavel Sanda wrote:

Liviu Andronic wrote:

On Fri, May 28, 2010 at 8:23 PM, Guenter Milde  wrote:

However, the Gnumeric spreadsheet has a LaTeX export feature, so one
could possibly write an "external inset" wrapper for it.


Apparently there is a patch [1] by Helge Hafting. More info on the
subject in this thread [2] and on the wiki [3].
Liviu

PS Would the devels consider including the patch in LyX 2.0?


please do you have any idea whether is safe to use blindly ssconvert or gnumeric
in the sense that attacker can't write eg some excel macro-virus which would
get executed via ssconvert or gnumeric?

I don't know if ssconvert supports excel macros well enough to run a 
virus. I though macro viruses generally abused a visual basic interface 
that doesn't even exist on linux.


But there is a very simple solution, if safety is the reason to not 
include my patch:


I can change it so it only support gnumeric files, not excel files. 
ssconvert can convert oocalc, excel and gnumeric. But LyX can stick with 
the .gnumeric extension in order to be safe. I don't think gnumeric has 
such vulnerabilities designed into it.


Would that be interesting?


we have already rejected gnuplot support because of the fact that somebody
could embed script like "! rm -rf /" into .lyx file...

Re: spreadsheet capability?

[Pavel Sanda]

Helge Hafting wrote:
>> please do you have any idea whether is safe to use blindly ssconvert or 
>> gnumeric
>> in the sense that attacker can't write eg some excel macro-virus which 
>> would
>> get executed via ssconvert or gnumeric?
>>
> I don't know if ssconvert supports excel macros well enough to run a virus. 
> I though macro viruses generally abused a visual basic interface that 
> doesn't even exist on linux.
>
> But there is a very simple solution, if safety is the reason to not include 
> my patch:
>
> I can change it so it only support gnumeric files, not excel files. 
> ssconvert can convert oocalc, excel and gnumeric. But LyX can stick with 
> the .gnumeric extension in order to be safe. I don't think gnumeric has 
> such vulnerabilities designed into it.
>
> Would that be interesting?

i'm all for having support of gnumeric/excel/oofice. but we are talking
about delicate issue - before adding ssconvert we should be pretty
confident that it only produces .tex files without running any
additional code/script in the source files. (question on gnumeric devs?)

apart from that the original patch was pretty clear, so i dont see any other
hindrances.

pavel

spreadsheet capability?

[xPol]

Has anybody ever tried to provide lyx with some spreadsheet capability, 
exploiting its symbolic computation backends?

thank you 
---P

Re: spreadsheet capability?

[Guenter Milde]

On 2010-05-28, xPol wrote:
 Has anybody ever tried to provide lyx with some spreadsheet capability, 
 exploiting its symbolic computation backends?

Not to my knowledge.

However, the Gnumeric spreadsheet has a LaTeX export feature, so one
could possibly write an external inset wrapper for it.

Günter

Re: spreadsheet capability?

[Liviu Andronic]

On Fri, May 28, 2010 at 8:23 PM, Guenter Milde mi...@users.berlios.de wrote:
 However, the Gnumeric spreadsheet has a LaTeX export feature, so one
 could possibly write an external inset wrapper for it.

Apparently there is a patch [1] by Helge Hafting. More info on the
subject in this thread [2] and on the wiki [3].
Liviu

PS Would the devels consider including the patch in LyX 2.0?

[1] http://www.mail-archive.com/lyx-devel@lists.lyx.org/msg132049.html
[2] http://www.mail-archive.com/lyx-us...@lists.lyx.org/msg75702.html
[3] http://wiki.lyx.org/Tips/CopyTablesFromSpreadsheets

Re: spreadsheet capability?

[Pavel Sanda]

Liviu Andronic wrote:
 On Fri, May 28, 2010 at 8:23 PM, Guenter Milde mi...@users.berlios.de wrote:
  However, the Gnumeric spreadsheet has a LaTeX export feature, so one
  could possibly write an external inset wrapper for it.
 
 Apparently there is a patch [1] by Helge Hafting. More info on the
 subject in this thread [2] and on the wiki [3].
 Liviu
 
 PS Would the devels consider including the patch in LyX 2.0?

please do you have any idea whether is safe to use blindly ssconvert or gnumeric
in the sense that attacker can't write eg some excel macro-virus which would
get executed via ssconvert or gnumeric?

we have already rejected gnuplot support because of the fact that somebody
could embed script like ! rm -rf / into .lyx file...

pavel

spreadsheet capability?

[xPol]

Has anybody ever tried to provide lyx with some spreadsheet capability, 
exploiting its symbolic computation backends?

thank you 
---P

Re: spreadsheet capability?

[Guenter Milde]

On 2010-05-28, xPol wrote:
> Has anybody ever tried to provide lyx with some spreadsheet capability, 
> exploiting its symbolic computation backends?

Not to my knowledge.

However, the Gnumeric spreadsheet has a LaTeX export feature, so one
could possibly write an "external inset" wrapper for it.

Günter

Re: spreadsheet capability?

[Liviu Andronic]

On Fri, May 28, 2010 at 8:23 PM, Guenter Milde  wrote:
> However, the Gnumeric spreadsheet has a LaTeX export feature, so one
> could possibly write an "external inset" wrapper for it.
>
Apparently there is a patch [1] by Helge Hafting. More info on the
subject in this thread [2] and on the wiki [3].
Liviu

PS Would the devels consider including the patch in LyX 2.0?

[1] http://www.mail-archive.com/lyx-devel@lists.lyx.org/msg132049.html
[2] http://www.mail-archive.com/lyx-us...@lists.lyx.org/msg75702.html
[3] http://wiki.lyx.org/Tips/CopyTablesFromSpreadsheets

Re: spreadsheet capability?

[Pavel Sanda]

Liviu Andronic wrote:
> On Fri, May 28, 2010 at 8:23 PM, Guenter Milde  wrote:
> > However, the Gnumeric spreadsheet has a LaTeX export feature, so one
> > could possibly write an "external inset" wrapper for it.
> >
> Apparently there is a patch [1] by Helge Hafting. More info on the
> subject in this thread [2] and on the wiki [3].
> Liviu
> 
> PS Would the devels consider including the patch in LyX 2.0?

please do you have any idea whether is safe to use blindly ssconvert or gnumeric
in the sense that attacker can't write eg some excel macro-virus which would
get executed via ssconvert or gnumeric?

we have already rejected gnuplot support because of the fact that somebody
could embed script like "! rm -rf /" into .lyx file...

pavel