Hi, I've gotten lots of information from Enrico and Guillaume related to the security "gap", but I'd like to boil it down to simpler questions to make the situation clear to me.
Assume that I've gotten a LyX document by e-mail. It was not created by me, but let's say that the sender of the e-mail appears to be from a colleague whom I trust, asking me to do him a favour and generate a PDF because his computer is acting up. It's urgent of course... A) In LyX 2.2.x, if I open the document, no "converters" are executed. But when I attempt to generate the PDF, the document could via e.g. 'R' execute arbitrary code on my computer, as if it were my user account. And this would happen silently, with no warning etc. Correct? But what would happen if I used LyX 2.3.0alphaX and tried to build the document? B) Would LyX still allow the document to run arbitrary code on my computer? C) Would the execution still happen "silently"? D) Can the above happen with a document completely created by someone else? Note that for all questions above I assume that the person who sent me the document has attempted to configure it to allow the above, i.e. he's set any flags etc he could within the document. Regards, Christian
