On Tue, Jan 14, 2014 at 2:46 PM, Jacob Peck <[email protected]> wrote:
> Makes me wonder... does mod_scripting only respect that setting from
> myLeoSettings.leo, or does it also listen to local (per-.leo file)
> settings?
>
Ouch!
> Because if that's the case... this is a huge security risk. Imagine a
> .leo with a malicious @script **and**
>
>
> @bool scripting-at-script-nodes = True. Chaos... the only true way to
> look it at is in an external editor, or a no-plugins-loaded version of Leo.
>
Imo, this warrants a special check in the core settings code. It should
disallow setting @bool scripting-at-script-nodes in local files!
An alternative almost-as-safe strategy would be for the mod_scripting
plugin to make that check, using the same mechanism used by the
print-settings command to determine the source of the file. Let me see how
that works...
Oh yes, it uses Kent's suggestion: g.app.config.config_iter(c):
Checking the plugin...
Fail! self.atScriptNodes = getBool('scripting-at-script-nodes')
So Leo is wide open at present. We've got to fix this yesterday.
Let's see how config_iter works...
def config_iter(self,c):
'''Letters:
leoSettings.leo
D default settings
F loaded .leo File
M myLeoSettings.leo
'''
lm = g.app.loadManager
suppressKind = ('shortcut','shortcuts','openwithtable')
suppressKeys = (None,'shortcut')
d = c.config.settingsDict if c else lm.globalSettingsDict
for key in sorted(list(d.keys())):
if key not in suppressKeys:
gs = d.get(key)
assert g.isGeneralSetting(gs),gs
if gs and gs.kind not in suppressKind:
letter = lm.computeBindingLetter(gs.path)
yield key,gs.val,c,letter
def computeBindingLetter(self,kind):
if not kind:
return 'D'
table = (
('M','myLeoSettings.leo'),
(' ','leoSettings.leo'),
('F','.leo'),
)
for letter,kind2 in table:
if kind.lower().endswith(kind2.lower()):
return letter
else:
return 'D' if kind.find('mode') == -1 else '@'
It would be best to define a convenience method, say
c.config.isLocalSetting(settingName). The mod_scripting plugin can then
refuse to honor a local setting for @bool scripting-at-script-nodes.
I'll do this immediately.
Edward
--
You received this message because you are subscribed to the Google Groups
"leo-editor" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/leo-editor.
For more options, visit https://groups.google.com/groups/opt_out.
