> It is a fundamental flaw if the mere > possibility of unbundling files to arbitrary locations *even within the > document directory* leads to the possibility of executing arbitrary code on > the user's machine.
Everything comes at a cost, and a good design should have the right balance of benefits and costs. I have not seen the real benefit of your proposal, but I have seen that you would like to limit the users to use only in-tree files, use a lyx-specified directory structure, inconvenience in svn handling, non reversibility between bundled and unbundled formats etc. Even if your proposal has no security problem, it will not be a good one if users have to pay such high prices. Your so-called "fundamental flaw" can be addressed in a number of ways so I did not pay much attention to it. The easiest one I guess, is to disallow unbundling in a non-empty directory. The cost for the user would be that s/he has to move the bundled .lyx file to an empty directory before unbundle. This is a high price to pay in my standard, but is already much cheaper than your solution. Note that the cost can be further lowered if we 1. do not require unbundle (bundle-editing mode of my design) 2. help users create a directory and move the file 3. do not do this if there is no external file change during unbundling 4. list all files that will be created/modified during the unbundle process and let users decide 5. disallow execution of any process from the document directory within lyx. 6. ... It is funny that you call such an easy problem fundamental, but non-reversibility, no-out-of-tree-file etc of yours trivial. Cheers, Bo
