On Fri, Dec 21, 2012 at 10:23 AM, Richard Heck wrote:
> My suggestion was that the per-file disabling should be done on the basis of
> a per-user UUID we generate at installation, or some such time (and, as
> Scott suggests, can re-generate if need be). This is not perfect. If someone
> had your U
On 12/21/2012 10:33 AM, Jean-Marc Lasgouttes wrote:
Le 21/12/2012 16:23, Richard Heck a écrit :
My suggestion was that the per-file disabling should be done on the
basis of a per-user UUID we generate at installation, or some such time
(and, as Scott suggests, can re-generate if need be). This i
Le 21/12/2012 16:23, Richard Heck a écrit :
My suggestion was that the per-file disabling should be done on the
basis of a per-user UUID we generate at installation, or some such time
(and, as Scott suggests, can re-generate if need be). This is not
perfect. If someone had your UUID, they could p
On 12/21/2012 06:28 AM, Pavel Sanda wrote:
... Let's move the discussion to the devel list ...
Jean-Marc Lasgouttes wrote:
Le 21/12/2012 11:32, Scott Kostyshak a écrit :
On Fri, Dec 21, 2012 at 5:07 AM, Liviu Andronic
wrote:
I would suggest that we _always_ have a warning when, after opening
... Let's move the discussion to the devel list ...
Jean-Marc Lasgouttes wrote:
> Le 21/12/2012 11:32, Scott Kostyshak a écrit :
>> On Fri, Dec 21, 2012 at 5:07 AM, Liviu Andronic
>> wrote:
>>> I would suggest that we _always_ have a warning when, after opening a
>>> LyX file, the user activate
Scott Kostyshak wrote:
> knitr (and thus knitr through LyX) will not work out of the box with
> R. The user would have to install the package.
> I think that Sweave is a different story because it comes with R so I
> think that the user would not have to do anything else in order to be
> on the bad
On Mon, Oct 22, 2012 at 7:41 PM, Pavel Sanda wrote:
> Scott Kostyshak wrote:
>> But if you want to confirm that there is a problem (that you can run
>> shell commands from within a knitr/Sweave chunk), then you need to
>> have R installed. Sweave comes with R and knitr can be installed with
>> a s
Scott Kostyshak wrote:
> But if you want to confirm that there is a problem (that you can run
> shell commands from within a knitr/Sweave chunk), then you need to
> have R installed. Sweave comes with R and knitr can be installed with
> a simple install.packages('knitr') within R. Let me know if yo
On Mon, Oct 22, 2012 at 5:31 PM, Pavel Sanda wrote:
> Scott Kostyshak wrote:
>> > Yes. And would be nice nice if we have some general solution,
>> > so its easy to re-use it in other cases.
>>
>> That would be nice. I could look into this but not for a while. I
>> don't think adding a warning to b
Scott Kostyshak wrote:
> > Yes. And would be nice nice if we have some general solution,
> > so its easy to re-use it in other cases.
>
> That would be nice. I could look into this but not for a while. I
> don't think adding a warning to branch would be possible anyway
> because of the string free
On Mon, Oct 22, 2012 at 3:54 PM, Pavel Sanda wrote:
> Scott Kostyshak wrote:
>> You are right
>> that \write18 is disabled by default.
>
> Fine, I'm happy to hear this.
>
>> I would prefer that on every
>> new document I open, if it has the Sweave/knitr module enabled, I am
>> notified (with an op
Scott Kostyshak wrote:
> You are right
> that \write18 is disabled by default.
Fine, I'm happy to hear this.
> I would prefer that on every
> new document I open, if it has the Sweave/knitr module enabled, I am
> notified (with an option of turning such notifications off
> permanently).
Yes. And
On Mon, Oct 22, 2012 at 12:24 PM, Pavel Sanda wrote:
> Scott Kostyshak wrote:
>> Any thoughts as far as improving security, warning the user, or
>> documentation?
>
> Up to this moment we were trying not to include anything which could be used
> in
> the exec("rm -rf /") way (this was the only r
Scott Kostyshak wrote:
> Any thoughts as far as improving security, warning the user, or documentation?
Up to this moment we were trying not to include anything which could be used in
the exec("rm -rf /") way (this was the only reason why gnuplot is not supported
by lyx for example, there was work
Le 21/10/2012 08:54, Liviu Andronic a écrit :
If scripts are detected then a dialogue pops up with a warning and
asks the user how to proceed. This should provide a minimum of
security.
It is not really scripts that are used on editing like in office, but
rather dangerous converters.
JMarc
Le 21/10/2012 03:51, Scott Kostyshak a écrit :
I do not see knitr and Sweave security discussed anywhere. The
Customization guide has 5 paragraphs on security regarding external
templates.
It is a difficult problem indeed. I do not see a better solution that
marking some converters "dangerous"
On Sun, Oct 21, 2012 at 3:08 AM, Yihui Xie wrote:
> I learned \write18 from a quick search:
> http://stackoverflow.com/questions/3252957/how-to-execute-shell-script-from-latex
I didn't know about that. Then yes, if LyX allows security problems
like that from LaTeX I should not be worrying about S
I learned \write18 from a quick search:
http://stackoverflow.com/questions/3252957/how-to-execute-shell-script-from-latex
Security problems exist in most software packages. In this case
(knitr/Sweave), a pure technical solution does not seem to be
possible... Sometimes I do want to execute system(
The blacklist-based solution can stop nothing as you showed, so I
think we cannot do much except writing it in the documentation.
Regards,
Yihui
--
Yihui Xie
Phone: 515-294-2465 Web: http://yihui.name
Department of Statistics, Iowa State University
2215 Snedecor Hall, Ames, IA
On Sat, Oct 20, 2
On Sat, Oct 20, 2012 at 10:18 PM, Yihui Xie wrote:
> I do not see an obvious approach to solve this issue except
> documenting the potential security problem in the manual. It exists in
> all R-related applications, including R packages. I have seen people
> collecting keywords like system() and f
I do not see an obvious approach to solve this issue except
documenting the potential security problem in the manual. It exists in
all R-related applications, including R packages. I have seen people
collecting keywords like system() and file.remove(), but that is
apparently far from a perfect solu
21 matches
Mail list logo
