> If you want to introduce such support for doc, rtf, etc, then you should do
it the way we handle
> dia, xfig, and the like. We should check for a "real" viewer, such as
OpenOffice, Word, or
> whatever, and if we don't find one then it just defaults to "auto".
What is the advantage? I don't have Word on my machine so when I execute a doc file, again the
default viewer will be opened. It is in this case Wordpad which is available on all Windows system.
And no, we don't have a security hole. When I execute a file, no matter what type it is, the default
program tries to open it. So when you get an infected HTML file, e.g. Firefox will try to open it.
If it then infects your system, its a bug in Firefox. If the default viewer is a spam or virus
program, it is again your problem because the setting for the default program requires changes in
the registry and thus admin permissions. The admin account is only for administration. Users who are
logged in as admin to surf in the Internet are already lost. Without Admin permissions you are safe
because viruses cannot write to your registry or destroy backup drives.
> The same for WMF and EMF. If you don't like that, then you should at least replace the "%s" in
the > lines you changed with "auto". As it is now, I think we have a very big security hole.
What's the difference? "%s" writes "auto", doesn't it? WMF and EMF are image formats like JPG and
should be treated the same.
> Actually, I'd like someone to explain to me whether we don't already have
one. Suppose I send
> someone a LyX file together with an executable virus, disguised as a WMF, and
then attempt to view
> or edit it from inside LyX. Can't this cause that file to be executed, thus
infecting the user's
> system?
No, this could only infect the system when you have admin permissions and even then only if your PC
is already infected. By executing the WMF file you always call the default program for that. So to
become infected, the default program needs to have a security hole or is already infected.
You scenario is like getting an email with an attachment. You don't become infected by opening a
virus email attachment when you are not admin and when it is not an executable. When you execute
executables it can only destroy your account that is currently logged in no the whole system. When a
virus has the name "bla53b.ex.jgp" it will not directly be executed but your default image viewer is
started. A file is only directly executed when it has the suffix .exe, .bat or .com.
LyX itself doesn't include any file - LyX is not dangerous. You can always open a LyX file without
being scared.
(If you don't trust files sent to you, use a virus scanner but this independent of LyX or any other
program.)
regards Uwe
