On 8/17/23 10:47, Pavel Sanda wrote:
On Thu, Aug 17, 2023 at 08:54:43AM +0200, Jürgen Spitzmüller wrote:
BTW are we talking URLs only or also links to local files?
I am actually not sure what magic can be done with the scheme prefixes,
like what happen on mac if you specify something else than "file:///"
or if the file is executable and you call it with "open", so we should
be careful here.
Yes, this is the case that most worries me.
The citation URLs come from bibtex files, I assume, so wouldn't be
things someone could embed in a LyX document. But they could of course
send along a 'local' bib file.
If the latter is also considered to be harmful, things will get significantly
more complicated if lyxpaperview.py is involved.
That was the reason that lyxpaperview.py has already separated RC variable and
is disabled by default. We could add one more warning in tooltip, that you
enabling it is security risk. Or move that option to need auth section, so it's
clear that it security-related option and you should know what you are doing.
On the other hand to me the primary question is whether you trust the source of
the document (basically someone else than you?), so the proposed warning dialog
should imho ask whether you trust origin of the document and cover at once all
three cases:
- hyperlinks
- citation urls
- lyxpaperview seraches
That seems good. We don't need separate control of all these things. The
normal case, I assume, is: The document is mine, and so is the bib file.
Riki
--
lyx-devel mailing list
lyx-devel@lists.lyx.org
http://lists.lyx.org/mailman/listinfo/lyx-devel
