mirror of
https://git.lyx.org/repos/lyx.git
synced 2024-11-09 18:31:04 +00:00
Revert part of http://www.lyx.org/trac/changeset/29412
http://www.mail-archive.com/lyx-devel@lists.lyx.org/msg150458.html git-svn-id: svn://svn.lyx.org/lyx/lyx-devel/trunk@29461 a592a061-630c-0410-9148-cb99ea01b6c8
This commit is contained in:
Pavel Sanda
parent
8f1b42984d
commit
ffc71354d0
@ -15557,5 +15557,169 @@ status collapsed
|
||||
files needs the relative name in order to rewrite the file content.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Section
|
||||
\begin_inset CommandInset label
|
||||
LatexCommand label
|
||||
name "sec:Security-discussion"
|
||||
|
||||
\end_inset
|
||||
|
||||
Security discussion
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
\begin_inset Box Shadowbox
|
||||
position "t"
|
||||
hor_pos "c"
|
||||
has_inner_box 1
|
||||
inner_pos "t"
|
||||
use_parbox 0
|
||||
width "100col%"
|
||||
special "none"
|
||||
height "1in"
|
||||
height_special "totalheight"
|
||||
status open
|
||||
|
||||
\begin_layout Plain Layout
|
||||
WARNING: This section is definitely outdated.
|
||||
\end_layout
|
||||
|
||||
\end_inset
|
||||
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
The external material feature interfaces with a lot of external programs
|
||||
and does so automatically, so we have to consider the security implications
|
||||
of this.
|
||||
In particular, since you have the option of including your own filenames
|
||||
and/or parameter strings and those are expanded into a command, it seems
|
||||
that it would be possible to create a malicious document which executes
|
||||
arbitrary commands when a user views or prints the document.
|
||||
This is something we definitely want to avoid.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
However, since the external program commands are specified in the template
|
||||
configuration file only, there are no security issues if LyX is properly
|
||||
configured with safe templates only.
|
||||
This is so because the external programs are invoked with the
|
||||
\begin_inset Flex CharStyle:Code
|
||||
status collapsed
|
||||
|
||||
\begin_layout Plain Layout
|
||||
execvp
|
||||
\end_layout
|
||||
|
||||
\end_inset
|
||||
|
||||
-system call rather than the
|
||||
\begin_inset Flex CharStyle:Code
|
||||
status collapsed
|
||||
|
||||
\begin_layout Plain Layout
|
||||
system
|
||||
\end_layout
|
||||
|
||||
\end_inset
|
||||
|
||||
system-call, so it's not possible to execute arbitrary commands from the
|
||||
filename or parameter section via the shell.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
This also implies that you are restricted in what command strings you can
|
||||
use in the external material templates.
|
||||
In particular, pipes and redirection are not readily available.
|
||||
This has to be so if LyX should remain safe.
|
||||
If you want to use some of the shell features, you should write a safe
|
||||
script to do this in a controlled manner, and then invoke the script from
|
||||
the command string.
|
||||
In the
|
||||
\begin_inset Flex CharStyle:Code
|
||||
status collapsed
|
||||
|
||||
\begin_layout Plain Layout
|
||||
lib/scripts
|
||||
\end_layout
|
||||
|
||||
\end_inset
|
||||
|
||||
directory of the LyX installation, you can find a safe wrapper script
|
||||
\begin_inset Flex CharStyle:Code
|
||||
status collapsed
|
||||
|
||||
\begin_layout Plain Layout
|
||||
general_command_wrapper.py
|
||||
\end_layout
|
||||
|
||||
\end_inset
|
||||
|
||||
that supports redirection of input and output.
|
||||
That can serve as an example for how to write safe template scripts.
|
||||
For a more advanced example that uses
|
||||
\begin_inset Flex CharStyle:Code
|
||||
status collapsed
|
||||
|
||||
\begin_layout Plain Layout
|
||||
fork
|
||||
\end_layout
|
||||
|
||||
\end_inset
|
||||
|
||||
and friends, take a look at the
|
||||
\begin_inset Flex CharStyle:Code
|
||||
status collapsed
|
||||
|
||||
\begin_layout Plain Layout
|
||||
pic2ascii.py
|
||||
\end_layout
|
||||
|
||||
\end_inset
|
||||
|
||||
converter script.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
It is possible to design a template that interacts directly with the shell,
|
||||
but since this would allow a malicious user to execute arbitrary commands
|
||||
by writing clever filenames and/or parameters, we generally recommend that
|
||||
you only use safe scripts that work with the
|
||||
\begin_inset Flex CharStyle:Code
|
||||
status collapsed
|
||||
|
||||
\begin_layout Plain Layout
|
||||
execvp
|
||||
\end_layout
|
||||
|
||||
\end_inset
|
||||
|
||||
system call in a controlled manner.
|
||||
Of course, for use in a controlled environment, it can be tempting to just
|
||||
fall back to use ordinary shell scripts.
|
||||
If you do so, be aware that you
|
||||
\emph on
|
||||
will
|
||||
\emph default
|
||||
provide an easily exploitable security hole in your system.
|
||||
Of course it stands to reason that such unsafe templates will never be
|
||||
included in the standard LyX distribution, although we do encourage people
|
||||
to submit new templates in the open source tradition.
|
||||
But LyX as shipped from the official distribution channels will never have
|
||||
unsafe templates.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Including external material provides a lot of power, and you have to be
|
||||
careful not to introduce security hazards with this power.
|
||||
A subtle error in a single line in an innocent looking script can open
|
||||
the door to huge security problems.
|
||||
So if you do not fully understand the issues, we recommend that you consult
|
||||
a knowledgeable security professional or the LyX development team if you
|
||||
have any questions about whether a given template is safe or not.
|
||||
And do this before you use it in an uncontrolled environment.
|
||||
\end_layout
|
||||
|
||||
\end_body
|
||||
\end_document
|
||||
|
||||
Loading…
Reference in New Issue
Block a user