Re: Policy for opening url links in documents
On Thu, Aug 17, 2023 at 08:54:43AM +0200, Jürgen Spitzmüller wrote: > So a dialog that says: > > > LyX wants to open the following link in an external application: > > Be aware that this might entail security infringements. Only do this if > you trust origin of the document and the target of the link! > > How do you want to proceed? > > [Open link] [Abort (=default)] > > [ ] Trust this document and do not ask me again! I edited slightly the middle sentence. Otherwise looks good to me. Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
Am Donnerstag, dem 17.08.2023 um 18:34 +0200 schrieb Pavel Sanda: > My point was that I would add "trust of the source of the document" > in the equation as well (in whatever wording). > Eye-inspection of URL can be easily befooled if the document comes > from an attacker. I agree that this should be part of the message. -- Jürgen -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On Thu, Aug 17, 2023 at 05:32:37PM +0200, Jürgen Spitzmüller wrote: > Am Donnerstag, dem 17.08.2023 um 17:27 +0200 schrieb Jürgen > Spitzmüller: > > I think it is useful to see the URL/target and then decide. If I get > > a document from someone else and the proposed link looks suspicious, > > I'd rather not open it. Other links might look trustworthy and I can > > proceed for those. > > Pretty common usecase: people download illegal copies, often without > being aware of the legal problem, from suspicious servers, and might > add links to their bib file (or Zotero does it?). I don't want my > browser being directed to such sites. > > This can happen with people you generally "trust". I see your point and do not have problem with presenting URL in the dialog as you proposed. My point was that I would add "trust of the source of the document" in the equation as well (in whatever wording). Eye-inspection of URL can be easily befooled if the document comes from an attacker. Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On Thu, Aug 17, 2023 at 11:09:54AM -0400, Richard Kimberly Heck wrote: > The normal case, I assume, is: The document is mine, and so is the bib file. Right, otherwise you are on the wild side. We should perhaps write something along these lines to User Guide as well. Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
Am Donnerstag, dem 17.08.2023 um 17:27 +0200 schrieb Jürgen Spitzmüller: > I think it is useful to see the URL/target and then decide. If I get > a document from someone else and the proposed link looks suspicious, > I'd rather not open it. Other links might look trustworthy and I can > proceed for those. Pretty common usecase: people download illegal copies, often without being aware of the legal problem, from suspicious servers, and might add links to their bib file (or Zotero does it?). I don't want my browser being directed to such sites. This can happen with people you generally "trust". -- Jürgen -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
Am Donnerstag, dem 17.08.2023 um 16:47 +0200 schrieb Pavel Sanda: > On the other hand to me the primary question is whether you trust the > source of the > document (basically someone else than you?), so the proposed warning > dialog > should imho ask whether you trust origin of the document and cover at > once all > three cases: > > - hyperlinks > - citation urls > - lyxpaperview seraches. I think it is useful to see the URL/target and then decide. If I get a document from someone else and the proposed link looks suspicious, I'd rather not open it. Other links might look trustworthy and I can proceed for those. Of course, if the document and bib file is all mine, I can trust all links right away. -- Jürgen -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On 8/17/23 10:47, Pavel Sanda wrote: On Thu, Aug 17, 2023 at 08:54:43AM +0200, Jürgen Spitzmüller wrote: BTW are we talking URLs only or also links to local files? I am actually not sure what magic can be done with the scheme prefixes, like what happen on mac if you specify something else than "file:///" or if the file is executable and you call it with "open", so we should be careful here. Yes, this is the case that most worries me. The citation URLs come from bibtex files, I assume, so wouldn't be things someone could embed in a LyX document. But they could of course send along a 'local' bib file. If the latter is also considered to be harmful, things will get significantly more complicated if lyxpaperview.py is involved. That was the reason that lyxpaperview.py has already separated RC variable and is disabled by default. We could add one more warning in tooltip, that you enabling it is security risk. Or move that option to need auth section, so it's clear that it security-related option and you should know what you are doing. On the other hand to me the primary question is whether you trust the source of the document (basically someone else than you?), so the proposed warning dialog should imho ask whether you trust origin of the document and cover at once all three cases: - hyperlinks - citation urls - lyxpaperview seraches That seems good. We don't need separate control of all these things. The normal case, I assume, is: The document is mine, and so is the bib file. Riki -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On Wed, Aug 16, 2023 at 09:50:18PM -0400, Richard Kimberly Heck wrote: > >BTW, there is a RC already (but not evaluated in this code path) - > >citation_search. Perhaps it can be used here? > > That seems to be for something else---whether to use a script to search for > a PDF or whatever---but it seems kind of redundant, since > citation_search_view also has to be set. It's actually not whether to use the script, it's for defining path to your own script which would search for the local pdf files. The idea behind is that everyone has different way of storing/naming downloaded papers, so it's impossible to have a script which applies across all users. It targets only power-users, so I had documented it in User Guide, but did not provide any UI. You will need to be coder to use this feature at all. Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On Wed, Aug 16, 2023 at 07:00:18PM -0400, Richard Kimberly Heck wrote: > On 8/16/23 18:29, Pavel Sanda wrote: > >On Wed, Aug 16, 2023 at 05:30:56PM -0400, Richard Kimberly Heck wrote: > >>>Now what are your opinions what we should do about it? > >>>1) nothing. > >>>2) add dialog before launching url. safer but super annoying. > >>>3) add dialog before launching url + dont ask again checkbox. > >>>not implemented - we'll also need to add session keys, which > >>>get erased often. > >>>4) add link target to context menu (non trivial to implement) > >>>5) add (by default disabled) checkbox in security preference to allow > >>>opening links for citations and hyperlinks similarly as we do with > >>>scripts. > >>>6) ? > >>> > >>>I tend to go for 5, but there might be other options I did not think of... > >>I'm always quite paranoid about this. I suppose (5) is OK if people know > >>what they're doing. Could we combine (3) and (5)? If we only have (5), then > >>people might not discover this functionality. > >If discoverability is a problem in the case of 5, we might simply let > >the item in context menu visible, but disabled, so people get curious... > > > >>But perhaps in the dialog we could say something like, "If you want to > >>disable this warning, see Tools> Preferences> Whatever". > >So you propose two RCs - one for 5) and one for disabling 3)? > > No, I meant one for (5), which would disable (3). I see, I can live with that option as well. Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On Thu, Aug 17, 2023 at 08:54:43AM +0200, Jürgen Spitzmüller wrote: > I am not sure we really need a pref to bypass this measure, or disable > the feature completely (as in needauth). This strikes me > overregulation. I don't have clerar opinion here. > BTW are we talking URLs only or also links to local files? I am actually not sure what magic can be done with the scheme prefixes, like what happen on mac if you specify something else than "file:///" or if the file is executable and you call it with "open", so we should be careful here. > If the latter is also considered to be harmful, things will get significantly > more complicated if lyxpaperview.py is involved. That was the reason that lyxpaperview.py has already separated RC variable and is disabled by default. We could add one more warning in tooltip, that you enabling it is security risk. Or move that option to need auth section, so it's clear that it security-related option and you should know what you are doing. On the other hand to me the primary question is whether you trust the source of the document (basically someone else than you?), so the proposed warning dialog should imho ask whether you trust origin of the document and cover at once all three cases: - hyperlinks - citation urls - lyxpaperview seraches. Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
Am Mittwoch, dem 16.08.2023 um 14:33 -0400 schrieb Scott Kostyshak: > I think Daniel is talking about: > > Document > Settings > Format > Output > "Allow running external > programs" Or, for that matter, Tools > Preferences > File Handling > Converters > Use needauth option > > Whether 5 or 6, I wonder if it would be helpful to combine the > preferences. i.e., have a preference "Trust document content", and > then > allow the user finer control if they prefer? I also think it should be something along the line of shell escape, i.e., people can chose to trust open link or abort, and they can decide to trust the document. An important issue is that, if people chose to trust the document, the trust should only hold on the current computer (as with shell escape). Otherwise evil persons could set the trust before sending. So a dialog that says: LyX wants to open the following link in an external application: Be aware that this might entail security infringements. Only do this if you trust the target! How do you want to proceed? [Open link] [Abort (=default)] [ ] Trust this document and do not ask me again! --- I am not sure we really need a pref to bypass this measure, or disable the feature completely (as in needauth). This strikes me overregulation. BTW are we talking URLs only or also links to local files? If the latter is also considered to be harmful, things will get significantly more complicated if lyxpaperview.py is involved. The dialog above can be implemented easily (for web links). -- Jürgen signature.asc Description: This is a digitally signed message part -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On 8/16/23 19:26, Stephan Witt wrote: Am 17.08.2023 um 01:00 schrieb Richard Kimberly Heck : On 8/16/23 18:29, Pavel Sanda wrote: On Wed, Aug 16, 2023 at 05:30:56PM -0400, Richard Kimberly Heck wrote: Now what are your opinions what we should do about it? 1) nothing. 2) add dialog before launching url. safer but super annoying. 3) add dialog before launching url + dont ask again checkbox. not implemented - we'll also need to add session keys, which get erased often. 4) add link target to context menu (non trivial to implement) 5) add (by default disabled) checkbox in security preference to allow opening links for citations and hyperlinks similarly as we do with scripts. 6) ? I tend to go for 5, but there might be other options I did not think of... I'm always quite paranoid about this. I suppose (5) is OK if people know what they're doing. Could we combine (3) and (5)? If we only have (5), then people might not discover this functionality. If discoverability is a problem in the case of 5, we might simply let the item in context menu visible, but disabled, so people get curious... But perhaps in the dialog we could say something like, "If you want to disable this warning, see Tools> Preferences> Whatever". So you propose two RCs - one for 5) and one for disabling 3)? No, I meant one for (5), which would disable (3). Riki BTW, there is a RC already (but not evaluated in this code path) - citation_search. Perhaps it can be used here? That seems to be for something else---whether to use a script to search for a PDF or whatever---but it seems kind of redundant, since citation_search_view also has to be set. Riki -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
Am 17.08.2023 um 01:00 schrieb Richard Kimberly Heck : > > On 8/16/23 18:29, Pavel Sanda wrote: >> On Wed, Aug 16, 2023 at 05:30:56PM -0400, Richard Kimberly Heck wrote: Now what are your opinions what we should do about it? 1) nothing. 2) add dialog before launching url. safer but super annoying. 3) add dialog before launching url + dont ask again checkbox. not implemented - we'll also need to add session keys, which get erased often. 4) add link target to context menu (non trivial to implement) 5) add (by default disabled) checkbox in security preference to allow opening links for citations and hyperlinks similarly as we do with scripts. 6) ? I tend to go for 5, but there might be other options I did not think of... >>> I'm always quite paranoid about this. I suppose (5) is OK if people know >>> what they're doing. Could we combine (3) and (5)? If we only have (5), then >>> people might not discover this functionality. >> If discoverability is a problem in the case of 5, we might simply let >> the item in context menu visible, but disabled, so people get curious... >> >>> But perhaps in the dialog we could say something like, "If you want to >>> disable this warning, see Tools> Preferences> Whatever". >> So you propose two RCs - one for 5) and one for disabling 3)? > > No, I meant one for (5), which would disable (3). > > Riki BTW, there is a RC already (but not evaluated in this code path) - citation_search. Perhaps it can be used here? Stephan -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On 8/16/23 18:29, Pavel Sanda wrote: On Wed, Aug 16, 2023 at 05:30:56PM -0400, Richard Kimberly Heck wrote: Now what are your opinions what we should do about it? 1) nothing. 2) add dialog before launching url. safer but super annoying. 3) add dialog before launching url + dont ask again checkbox. not implemented - we'll also need to add session keys, which get erased often. 4) add link target to context menu (non trivial to implement) 5) add (by default disabled) checkbox in security preference to allow opening links for citations and hyperlinks similarly as we do with scripts. 6) ? I tend to go for 5, but there might be other options I did not think of... I'm always quite paranoid about this. I suppose (5) is OK if people know what they're doing. Could we combine (3) and (5)? If we only have (5), then people might not discover this functionality. If discoverability is a problem in the case of 5, we might simply let the item in context menu visible, but disabled, so people get curious... But perhaps in the dialog we could say something like, "If you want to disable this warning, see Tools> Preferences> Whatever". So you propose two RCs - one for 5) and one for disabling 3)? No, I meant one for (5), which would disable (3). Riki -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On Wed, Aug 16, 2023 at 05:30:56PM -0400, Richard Kimberly Heck wrote: > >Now what are your opinions what we should do about it? > >1) nothing. > >2) add dialog before launching url. safer but super annoying. > >3) add dialog before launching url + dont ask again checkbox. > >not implemented - we'll also need to add session keys, which > >get erased often. > >4) add link target to context menu (non trivial to implement) > >5) add (by default disabled) checkbox in security preference to allow > >opening links for citations and hyperlinks similarly as we do with > >scripts. > >6) ? > > > >I tend to go for 5, but there might be other options I did not think of... > > I'm always quite paranoid about this. I suppose (5) is OK if people know > what they're doing. Could we combine (3) and (5)? If we only have (5), then > people might not discover this functionality. If discoverability is a problem in the case of 5, we might simply let the item in context menu visible, but disabled, so people get curious... > But perhaps in the dialog we could say something like, "If you want to > disable this warning, see Tools> Preferences> Whatever". So you propose two RCs - one for 5) and one for disabling 3)? Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On 8/16/23 10:35, Pavel Sanda wrote: Hi, as a part of #12878 Stephan raised a question to what degree should we allow opening external links which are part of citation in the document (or rather part of .bib file). Currently we allow opening links stored in the "url" field of bibtex entry or files stored in "file" field by entry in the context menu; what's worse we don't show the link, so one can not check url itself - malevolent url can be provided (e.g. attacker web site, or maybe url scheme trying to execute some local stuff). (We also allow similar thing for hyperlink insets, but we at least show the target in caption of the inset.) Now what are your opinions what we should do about it? 1) nothing. 2) add dialog before launching url. safer but super annoying. 3) add dialog before launching url + dont ask again checkbox. not implemented - we'll also need to add session keys, which get erased often. 4) add link target to context menu (non trivial to implement) 5) add (by default disabled) checkbox in security preference to allow opening links for citations and hyperlinks similarly as we do with scripts. 6) ? I tend to go for 5, but there might be other options I did not think of... I'm always quite paranoid about this. I suppose (5) is OK if people know what they're doing. Could we combine (3) and (5)? If we only have (5), then people might not discover this functionality. But perhaps in the dialog we could say something like, "If you want to disable this warning, see Tools> Preferences> Whatever". Riki -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On 2023-08-16 20:33, Scott Kostyshak wrote: On Wed, Aug 16, 2023 at 06:30:38PM +0200, Daniel wrote: On 2023-08-16 16:35, Pavel Sanda wrote: Hi, as a part of #12878 Stephan raised a question to what degree should we allow opening external links which are part of citation in the document (or rather part of .bib file). Currently we allow opening links stored in the "url" field of bibtex entry or files stored in "file" field by entry in the context menu; what's worse we don't show the link, so one can not check url itself - malevolent url can be provided (e.g. attacker web site, or maybe url scheme trying to execute some local stuff). (We also allow similar thing for hyperlink insets, but we at least show the target in caption of the inset.) Now what are your opinions what we should do about it? 1) nothing. 2) add dialog before launching url. safer but super annoying. 3) add dialog before launching url + dont ask again checkbox. not implemented - we'll also need to add session keys, which get erased often. 4) add link target to context menu (non trivial to implement) 5) add (by default disabled) checkbox in security preference to allow opening links for citations and hyperlinks similarly as we do with scripts. 6) ? I tend to go for 5, but there might be other options I did not think of... FWIW, I have seen only 1, 2 and 3 implemented in other applications when launching external URLs but none of the others. A possible 6) Per document enabling: when there are external URLs in a document that could be opened, a message appears at the top asking whether the document should be trusted in that respect. It's similar to how VS Code asks whether to enable extensions for a document. Not sure whether I like myself. I think Daniel is talking about: Document > Settings > Format > Output > "Allow running external programs" No, I wasn't aware of that option's existence and still don't know what it does. :) Not sure where the misunderstanding is though. Daniel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On Wed, Aug 16, 2023 at 06:30:38PM +0200, Daniel wrote: > > On 2023-08-16 16:35, Pavel Sanda wrote: > > Hi, > > > > as a part of #12878 Stephan raised a question to what degree should we allow > > opening external links which are part of citation in the document (or rather > > part of .bib file). > > > > Currently we allow opening links stored in the "url" field of bibtex entry > > or > > files stored in "file" field by entry in the context menu; what's worse we > > don't show the link, so one can not check url itself - malevolent url can be > > provided (e.g. attacker web site, or maybe url scheme trying to execute some > > local stuff). > > > > (We also allow similar thing for hyperlink insets, but we at least show > > the target in caption of the inset.) > > > > Now what are your opinions what we should do about it? > > 1) nothing. > > 2) add dialog before launching url. safer but super annoying. > > 3) add dialog before launching url + dont ask again checkbox. > > not implemented - we'll also need to add session keys, which > > get erased often. > > 4) add link target to context menu (non trivial to implement) > > 5) add (by default disabled) checkbox in security preference to allow > > opening links for citations and hyperlinks similarly as we do with > > scripts. > > 6) ? > > > > > > I tend to go for 5, but there might be other options I did not think of... > > FWIW, I have seen only 1, 2 and 3 implemented in other applications when > launching external URLs but none of the others. > > A possible > > 6) Per document enabling: when there are external URLs in a document that > could be opened, a message appears at the top asking whether the document > should be trusted in that respect. > > It's similar to how VS Code asks whether to enable extensions for a > document. Not sure whether I like myself. I think Daniel is talking about: Document > Settings > Format > Output > "Allow running external programs" Whether 5 or 6, I wonder if it would be helpful to combine the preferences. i.e., have a preference "Trust document content", and then allow the user finer control if they prefer? Scott signature.asc Description: PGP signature -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Re: Policy for opening url links in documents
On 2023-08-16 16:35, Pavel Sanda wrote: Hi, as a part of #12878 Stephan raised a question to what degree should we allow opening external links which are part of citation in the document (or rather part of .bib file). Currently we allow opening links stored in the "url" field of bibtex entry or files stored in "file" field by entry in the context menu; what's worse we don't show the link, so one can not check url itself - malevolent url can be provided (e.g. attacker web site, or maybe url scheme trying to execute some local stuff). (We also allow similar thing for hyperlink insets, but we at least show the target in caption of the inset.) Now what are your opinions what we should do about it? 1) nothing. 2) add dialog before launching url. safer but super annoying. 3) add dialog before launching url + dont ask again checkbox. not implemented - we'll also need to add session keys, which get erased often. 4) add link target to context menu (non trivial to implement) 5) add (by default disabled) checkbox in security preference to allow opening links for citations and hyperlinks similarly as we do with scripts. 6) ? I tend to go for 5, but there might be other options I did not think of... FWIW, I have seen only 1, 2 and 3 implemented in other applications when launching external URLs but none of the others. A possible 6) Per document enabling: when there are external URLs in a document that could be opened, a message appears at the top asking whether the document should be trusted in that respect. It's similar to how VS Code asks whether to enable extensions for a document. Not sure whether I like myself. Daniel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel
Policy for opening url links in documents
Hi, as a part of #12878 Stephan raised a question to what degree should we allow opening external links which are part of citation in the document (or rather part of .bib file). Currently we allow opening links stored in the "url" field of bibtex entry or files stored in "file" field by entry in the context menu; what's worse we don't show the link, so one can not check url itself - malevolent url can be provided (e.g. attacker web site, or maybe url scheme trying to execute some local stuff). (We also allow similar thing for hyperlink insets, but we at least show the target in caption of the inset.) Now what are your opinions what we should do about it? 1) nothing. 2) add dialog before launching url. safer but super annoying. 3) add dialog before launching url + dont ask again checkbox. not implemented - we'll also need to add session keys, which get erased often. 4) add link target to context menu (non trivial to implement) 5) add (by default disabled) checkbox in security preference to allow opening links for citations and hyperlinks similarly as we do with scripts. 6) ? I tend to go for 5, but there might be other options I did not think of... Pavel -- lyx-devel mailing list lyx-devel@lists.lyx.org http://lists.lyx.org/mailman/listinfo/lyx-devel