A required environment variable to enable processing startup scripts seems like a reasonable precaution. And/or perhaps a command line option?
leo --autoexec=True %home%\workbook.leo would probably want to restrict to enabling it only for the file(s) named on the command line. Actually thinking about this more, I think a command line parameter is better than an environment var, easier to turn on and off for specific needs (and harder to forget that it's active). -matt On Wed, Jan 15, 2014 at 3:56 AM, Edward K. Ream <[email protected]> wrote: > It's sickening to contemplate .leo files that execute malicious scripts in > @script nodes. This is an existential threat to Leo's reputation. > > Rev 6574 corrects a major security vulnerability: it prohibits setting > @bool scripting-at-script-nodes = True in local (non-settings) files. > > But this is not good enough. Leo must require that an environment > variable, say leo-startup-scripting, be True. That will prevent any .leo > file from enabling startup scripting all by itself. I'll add this > additional lock today. > > Alas, malicious .leo files can still "deliver" malicious scripts in other > ways, for example, by creating an @button node ("press me!") that runs a > malicious script directly, or worse, sets leo-startup-scripting to True! > > Edward > > -- > You received this message because you are subscribed to the Google Groups > "leo-editor" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/leo-editor. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "leo-editor" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/leo-editor. For more options, visit https://groups.google.com/groups/opt_out.
