Le 04/11/2016 à 10:22, Tommaso Cucinotta a écrit :
Guess one could try to filter out execution of external commands before
sending them to gnuplot, within the gnuplot2pdf.py, but that might limit
functionality (should catch the !cmd syntax, but also the plot "< cmd"
syntax, with the latter one being one of my common use-cases :-) ).

I am sure that such a filter could be worked around.

On a related note, you can already execute external scripts from LaTeX
through \write18{...} or \input{|command...}, albeit that seems to need
an explicit -shell-escape on the command-line to LaTeX, in order to
enable the feature. Also, I guess that integration of external materials
suffers of similar security risks.

Another big hole is Sweave/knitr.

Are we sure a bomb-virus .lyx file is not already possible as of the
nowadays LyX features :-) ?

The solution is probably to mark some converters or templates as "dangerous" and show warnings to the user the first time they are used (maybe on a per document basis).

JMarc

Reply via email to