On 3/20/2019 10:46 PM, Pablo Rodriguez wrote:
Hans,
I have other comments for embedded files, but I need more time to
compose them.
Right now I would like to comment an issue with the following source:
\setupinteraction[state=start]
\starttext
\startTEXpage[offset=1em]
\attachment[/home/ousia/xml-mkiv.pdf]
[name=new-name.pdf,
title=Title,
subtitle=Subtitle,
method=hidden,
author=author]
\stopTEXpage
\stoptext
If method=hidden, a /Names dictionary is added, with the following content:
9 0 obj
<<
/Names [ (/home/ousia/xml-mkiv.pdf) 2 0 R ]
>>
endobj
In some scenarios, this could be a security issue.
Wouldn’t it be possible that the content of the /Names entries would be
replaced by the option keys title or name from \attachment?
could be an option (not that i see a security risk here but flagging
something as a 'security issue' seems to be popular anyway
but ... no changes in that bit of code for the next few weeks as we're
in the tex live code freeze window
Hans
-----------------------------------------------------------------
Hans Hagen | PRAGMA ADE
Ridderstraat 27 | 8061 GH Hasselt | The Netherlands
tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl
-----------------------------------------------------------------
_______________________________________________
dev-context mailing list
dev-context@ntg.nl
https://mailman.ntg.nl/mailman/listinfo/dev-context
