X-Git-Url: https://git.lyx.org/gitweb/?a=blobdiff_plain;f=src%2FConverter.cpp;h=664a4bb7180a32fe615384c8a584d277c48b0a99;hb=63c1979401271381e7667f8e55a018a728788aaa;hp=489f5df439b62da275bf54f2265bad1b3313b337;hpb=e30f3d76d2bee0011ceaeb5f0cc221156458cbad;p=lyx.git diff --git a/src/Converter.cpp b/src/Converter.cpp index 489f5df439..664a4bb718 100644 --- a/src/Converter.cpp +++ b/src/Converter.cpp @@ -19,14 +19,18 @@ #include "Encoding.h" #include "ErrorList.h" #include "Format.h" +#include "InsetList.h" #include "Language.h" #include "LaTeX.h" #include "LyXRC.h" #include "Mover.h" +#include "ParagraphList.h" #include "Session.h" #include "frontends/alert.h" +#include "insets/InsetInclude.h" + #include "support/debug.h" #include "support/FileNameList.h" #include "support/filetools.h" @@ -279,20 +283,52 @@ OutputParams::FLAVOR Converters::getFlavor(Graph::EdgePath const & path, } -bool Converters::checkAuth(Converter const & conv, string const & doc_fname) +bool Converters::checkAuth(Converter const & conv, string const & doc_fname, + bool use_shell_escape) { - if (!conv.need_auth()) + string conv_command = conv.command(); + bool const has_shell_escape = contains(conv_command, "-shell-escape") + || contains(conv_command, "-enable-write18"); + if (conv.latex() && has_shell_escape && !use_shell_escape) { + docstring const shellescape_warning = + bformat(_("
The following LaTeX backend has been " + "configured to allow execution of external programs " + "for any document:
" + "%1$s
This is a dangerous configuration. Please, " + "consider using the support offered by LyX for " + "allowing this privilege only to documents that " + "actually need it, instead.
"), + from_utf8(conv_command)); + frontend::Alert::error(_("Security Warning"), + shellescape_warning , false); + } else if (!conv.latex()) + use_shell_escape = false; + if (!conv.need_auth() && !use_shell_escape) return true; - const docstring security_warning = bformat( - _("The requested operation requires the use of a converter from " - "%2$s to %3$s:
" + size_t const token_pos = conv_command.find("$$"); + bool const has_token = token_pos != string::npos; + string const command = use_shell_escape && !has_shell_escape + ? (has_token ? conv_command.insert(token_pos, "-shell-escape ") + : conv_command.append(" -shell-escape")) + : conv_command; + docstring const security_warning = (use_shell_escape + ? bformat(_("The following LaTeX backend has been requested " + "to allow execution of external programs:
" + "%1$s
The external programs can execute arbitrary commands on " + "your system, including dangerous ones, if instructed to do " + "so by a maliciously crafted LyX document.
"), + from_utf8(command)) + : bformat(_("The requested operation requires the use of a " + "converter from %2$s to %3$s:
" "" - "%1$s
This external program can execute arbitrary commands on your " - "system, including dangerous ones, if instructed to do so by a " - "maliciously crafted .lyx document.
"), - from_utf8(conv.command()), from_utf8(conv.from()), - from_utf8(conv.to())); - if (lyxrc.use_converter_needauth_forbidden) { + "This external program can execute arbitrary commands on " + "your system, including dangerous ones, if instructed to do " + "so by a maliciously crafted LyX document.
"), + from_utf8(command), from_utf8(conv.from()), + from_utf8(conv.to()))); + if (lyxrc.use_converter_needauth_forbidden && !use_shell_escape) { frontend::Alert::error( _("An external converter is disabled for security reasons"), security_warning + _( @@ -302,29 +338,47 @@ bool Converters::checkAuth(Converter const & conv, string const & doc_fname) "Forbid needauth converters.)"), false); return false; } - if (!lyxrc.use_converter_needauth) + if (!lyxrc.use_converter_needauth && !use_shell_escape) return true; - static const docstring security_title = - _("An external converter requires your authorization"); + docstring const security_title = use_shell_escape + ? _("A LaTeX backend requires your authorization") + : _("An external converter requires your authorization"); int choice; - const docstring security_warning2 = security_warning + - _("Would you like to run this converter?
" - "Only run if you trust the origin/sender of the LyX " - "document!
"); + docstring const security_warning2 = security_warning + (use_shell_escape + ? _("Should LaTeX backends be allowed to run external " + "programs?
Allow them only if you trust the " + "origin/sender of the LyX document!
") + : _("Would you like to run this converter?
" + "Only run if you trust the origin/sender of the LyX " + "document!
")); + docstring const no = use_shell_escape + ? _("Do ¬ allow") : _("Do ¬ run"); + docstring const yes = use_shell_escape ? _("A&llow") : _("&Run"); + docstring const always = use_shell_escape + ? _("&Always allow for this document") + : _("&Always run for this document"); if (!doc_fname.empty()) { LYXERR(Debug::FILES, "looking up: " << doc_fname); - std::set