+ if (!conv.hyperref_driver().empty())
+ return conv.hyperref_driver();
+ }
+ return string();
+}
+
+
+bool Converters::checkAuth(Converter const & conv, string const & doc_fname,
+ bool use_shell_escape)
+{
+ string conv_command = conv.command();
+ bool const has_shell_escape = contains(conv_command, "-shell-escape")
+ || contains(conv_command, "-enable-write18");
+ if (conv.latex() && has_shell_escape && !use_shell_escape) {
+ docstring const shellescape_warning =
+ bformat(_("<p>The following LaTeX backend has been "
+ "configured to allow execution of external programs "
+ "for any document:</p>"
+ "<center><p><tt>%1$s</tt></p></center>"
+ "<p>This is a dangerous configuration. Please, "
+ "consider using the support offered by LyX for "
+ "allowing this privilege only to documents that "
+ "actually need it, instead.</p>"),
+ from_utf8(conv_command));
+ frontend::Alert::error(_("Security Warning"),
+ shellescape_warning , false);
+ } else if (!conv.latex())
+ use_shell_escape = false;
+ if (!conv.need_auth() && !use_shell_escape)
+ return true;
+ size_t const token_pos = conv_command.find("$$");
+ bool const has_token = token_pos != string::npos;
+ string const command = use_shell_escape && !has_shell_escape
+ ? (has_token ? conv_command.insert(token_pos, "-shell-escape ")
+ : conv_command.append(" -shell-escape"))
+ : conv_command;
+ docstring const security_warning = (use_shell_escape
+ ? bformat(_("<p>The following LaTeX backend has been requested "
+ "to allow execution of external programs:</p>"
+ "<center><p><tt>%1$s</tt></p></center>"
+ "<p>The external programs can execute arbitrary commands on "
+ "your system, including dangerous ones, if instructed to do "
+ "so by a maliciously crafted LyX document.</p>"),
+ from_utf8(command))
+ : bformat(_("<p>The requested operation requires the use of a "
+ "converter from %2$s to %3$s:</p>"
+ "<blockquote><p><tt>%1$s</tt></p></blockquote>"
+ "<p>This external program can execute arbitrary commands on "
+ "your system, including dangerous ones, if instructed to do "
+ "so by a maliciously crafted LyX document.</p>"),
+ from_utf8(command), from_utf8(conv.from()),
+ from_utf8(conv.to())));
+ if (lyxrc.use_converter_needauth_forbidden && !use_shell_escape) {
+ frontend::Alert::error(
+ _("An external converter is disabled for security reasons"),
+ security_warning + _(
+ "<p><b>Your current preference settings forbid its execution.</b></p>"
+ "<p>(To change this setting, go to <i>Preferences ▹ File "
+ "Handling ▹ Converters</i> and uncheck <i>Security ▹ "
+ "Forbid needauth converters</i>.)"), false);
+ return false;