Bo Peng wrote:
It is a fundamental flaw if the mere
possibility of unbundling files to arbitrary locations *even within the
document directory* leads to the possibility of executing arbitrary code on
the user's machine.
Everything comes at a cost, and a good design should have the right
balance of benefits and costs. I have not seen the real benefit of
your proposal, but I have seen that you would like to limit the users
to use only in-tree files, use a lyx-specified directory structure,
inconvenience in svn handling, non reversibility between bundled and
unbundled formats etc. Even if your proposal has no security problem,
it will not be a good one if users have to pay such high prices.
Your so-called "fundamental flaw" can be addressed in a number of
ways so I did not pay much attention to it. The easiest one I guess,
is to disallow unbundling in a non-empty directory. The cost for the
user would be that s/he has to move the bundled .lyx file to an empty
directory before unbundle. This is a high price to pay in my standard,
but is already much cheaper than your solution. Note that the cost can
be further lowered if we
1. do not require unbundle (bundle-editing mode of my design)
2. help users create a directory and move the file
3. do not do this if there is no external file change during unbundling
4. list all files that will be created/modified during the unbundle
process and let users decide
5. disallow execution of any process from the document directory within lyx.
6. ...
It is funny that you call such an easy problem fundamental, but
non-reversibility, no-out-of-tree-file etc of yours trivial.
I wasn't trying to convince you of anything, and I'm not interested in
continuing this discussion. I was trying to explain to users who had
asked about it why so many developers ended up where they did. For me,
and I think also for some others, the security issues were critical. But
the decision has been made, so I see no point in debating your suggestions.
That said, if there are still users who care, let me explain why these
suggestions, most of which were made before, weren't accepted. The
problem, as I see it, is that it is very hard to see how we can still
have reversibility---and that, as Bo has emphasized, is a central goal
of his design---if we even require the unbundling to happen within the
document directory---as is necessary to resolve Andre's worries about
/etc/passwd---let alone if we require it to happen in an empty
directory. And the fact that such hacks are needed to avoid serious
security problems looks to me like it points to a basic problem with the
design. Not to mention that the dialog for (4) should have one button
that says, "Yes, I want to shoot myself"---smoking gun icon thanks to
Martin---and that (5) would cripple LyX.
But what most puzzles me is that I can't for the life of me see how such
a security issue could be regarded as not worthy of serious attention.
Our users are very lucky indeed that people started asking questions
about the design BEFORE some clever cracker discovered the exploit. I
can just see it now: Post a message to lyx-users, attach a LyX file, and
wait for the trojans to call home....
Richard
