Hi,
For the purpose of discussions on safety/security and
needauth/shell-escape, I would like to have, and document, a more complete
picture of the different kinds of use scenarios where LyX causes code to be
executed that was either embedded in a LyX document, or or in some external
file (script) that's referenced from a LyX document.
I've added the text below as a new section ("Execution of code form LyX")
to the wiki page on safety/security, but it contains some questions:
http://wiki.lyx.org/Devel/SafetyAndSecurity#toc4
I also wonder if it's complete, i.e. if there are additional ways in which
LyX might cause code to be executed.
-------------------
!!! Execution of code from LyX
This section is intended to provide details of the different ways in which
LyX can cause (potentially dangerous) code to be executed.
The code in question could be stored directly in the LyX document, i.e. in
the .lyx-file, or stored in an external file, e.g. a script, that's
referenced by the LyX document.
TBC: The LyX program itself cannot directly execute any code, potentially
dangerous or otherwise. The reason is that he LyX program does not contain
any interpreter or compiler. Instad, LyX must always invoke (call) a tool
external to LyX in order for any code to actually be executed.
So In what ways can a LyX document contain code, or reference eg. an
external script, that LyX can cause to be executed?
Here's an initial attempt at listing the cases:
!!!! Document preamble
The document preamble can contain arbitrary LaTeX code.
* Code is stored in the .lyx-file
* Execution occurs only when LyX exports the document as e.g. PDF
* LyX invokes e.g. pdflatex to execute the LaTeX code
* If option 'shell-escpae' is provided to e.g. pdflatex, execution of the
LaTeX code can be dangerous
* Q: Is it dangerous if and only if the option shell-escape is passed to
e.g. pdflatex?
* Q: Are there differences regarding safety/security for pdflatex vs luatex
vs ...?
!!!! ERT
The document can contain ERTs which contain LaTeX code.
* Code is stored in the .lyx-file
* Execution occurs as for the preamble.
* Q: Can the LaTeX code in an ERT be arbitrary (from the point of view of
safety), assuming shell-escape is active?
!!!! Chunk insets
The document can contain "chunk insets" that can contain code, e.g. R-code
* Code is stored in the .lyx-file
* Execution occurs only when LyX exports the document as e.g. PDF
* LyX invokes an external tool to execute the code.
* Converter settings define which tool LyX will use and with what arguments
the tool is called.
* Q: What other languages than R are relevant for "chunk insets"?
!!!! Graphics insets
The document can contain graphics insets that reference a gnuplot script
* Code is stored in an external file (script)
* Execution occurs at preview or when ???? related to exporting a document.
* Converter settings define which external tool that'll be used to execute
the code ???
Besides gnuplot, what about e.g. 'Graphviz'?
!!!! Anything else?
Q: Is there anything else that can contain code or reference code?
-------------------
Some additional questions:
What about using the 'minted' package? How does that fit in with the
above.
It's not code manually added by the user, but code generated from some LyX
inset.
Or is it that we're sending a code listing to minted that sends it to
pygmentize, which might "execute" the code listing?
Is pure literate programming covered by the above?
Best regards,
Christian
