J?rgen Spitzm?ller wrote: > Pavel Sanda wrote: > > i must have missed it. we store any info/params about launching 3rd party > > apps in .lyx file now? this would be security issue which is best to be > > avoided... > > We store the the preferred output format (which is bound to a specific > viewer) > and the preferred bibtex/index generators. In the same vein, we could > provide, > in Document > Settings > Output, a widget to either use the default pref, to > explicitly enable or disable forward/reverse search. > > I do not see any security problem here.
if there is only info like "pdf1/2/3" then there is no problem (is it so?). if we provide the possiblity to provide the command to be executed (i.e. the viewer or forward search viewer or exact indexing command etc) then the security risk is clear - any command put to the settings by the attacker is going to be executed sooner or later and we shouldn't allow that. pavel
