Hi, For the purpose of discussions on safety/security and needauth/shell-escape, I would like to have, and document, a more complete picture of the different kinds of use scenarios where LyX causes code to be executed that was either embedded in a LyX document, or or in some external file (script) that's referenced from a LyX document.
I've added the text below as a new section ("Execution of code form LyX") to the wiki page on safety/security, but it contains some questions: http://wiki.lyx.org/Devel/SafetyAndSecurity#toc4 I also wonder if it's complete, i.e. if there are additional ways in which LyX might cause code to be executed. ------------------- !!! Execution of code from LyX This section is intended to provide details of the different ways in which LyX can cause (potentially dangerous) code to be executed. The code in question could be stored directly in the LyX document, i.e. in the .lyx-file, or stored in an external file, e.g. a script, that's referenced by the LyX document. TBC: The LyX program itself cannot directly execute any code, potentially dangerous or otherwise. The reason is that he LyX program does not contain any interpreter or compiler. Instad, LyX must always invoke (call) a tool external to LyX in order for any code to actually be executed. So In what ways can a LyX document contain code, or reference eg. an external script, that LyX can cause to be executed? Here's an initial attempt at listing the cases: !!!! Document preamble The document preamble can contain arbitrary LaTeX code. * Code is stored in the .lyx-file * Execution occurs only when LyX exports the document as e.g. PDF * LyX invokes e.g. pdflatex to execute the LaTeX code * If option 'shell-escpae' is provided to e.g. pdflatex, execution of the LaTeX code can be dangerous * Q: Is it dangerous if and only if the option shell-escape is passed to e.g. pdflatex? * Q: Are there differences regarding safety/security for pdflatex vs luatex vs ...? !!!! ERT The document can contain ERTs which contain LaTeX code. * Code is stored in the .lyx-file * Execution occurs as for the preamble. * Q: Can the LaTeX code in an ERT be arbitrary (from the point of view of safety), assuming shell-escape is active? !!!! Chunk insets The document can contain "chunk insets" that can contain code, e.g. R-code * Code is stored in the .lyx-file * Execution occurs only when LyX exports the document as e.g. PDF * LyX invokes an external tool to execute the code. * Converter settings define which tool LyX will use and with what arguments the tool is called. * Q: What other languages than R are relevant for "chunk insets"? !!!! Graphics insets The document can contain graphics insets that reference a gnuplot script * Code is stored in an external file (script) * Execution occurs at preview or when ???? related to exporting a document. * Converter settings define which external tool that'll be used to execute the code ??? Besides gnuplot, what about e.g. 'Graphviz'? !!!! Anything else? Q: Is there anything else that can contain code or reference code? ------------------- Some additional questions: What about using the 'minted' package? How does that fit in with the above. It's not code manually added by the user, but code generated from some LyX inset. Or is it that we're sending a code listing to minted that sends it to pygmentize, which might "execute" the code listing? Is pure literate programming covered by the above? Best regards, Christian