On 03/11/2016 23:02, Pavel Sanda wrote:
How your patch deals with scripts like "! rm -rf *" ?
At the moment, I'm not sure what the current directory would be, for such a command, if
it's the temporary directory where LyX is doing the temp conversions, or the current
working directory for the .lyx document being edited, and anyway it could have been a
"rm -rf $HOME" or similar :-)
Guess one could try to filter out execution of external commands before sending them to
gnuplot, within the gnuplot2pdf.py, but that might limit functionality (should catch the
!cmd syntax, but also the plot "< cmd" syntax, with the latter one being one of
my common use-cases :-) ).
On a related note, you can already execute external scripts from LaTeX through
\write18{...} or \input{|command...}, albeit that seems to need an explicit
-shell-escape on the command-line to LaTeX, in order to enable the feature.
Also, I guess that integration of external materials suffers of similar
security risks.
Are we sure a bomb-virus .lyx file is not already possible as of the nowadays
LyX features :-) ?
Thanks,
T.
