From 21955431884f1e25e5806a909243491a8b9829fb Mon Sep 17 00:00:00 2001 From: Juergen Spitzmueller Date: Tue, 29 Aug 2023 14:43:59 +0200 Subject: [PATCH] Add message dialog to LFUN_CITATION_OPEN chain This addresses security concerns. --- src/frontends/qt/GuiView.cpp | 3 ++- src/frontends/qt/qt_helpers.cpp | 40 ++++++++++++++++++++++++++++++++- src/frontends/qt/qt_helpers.h | 2 ++ 3 files changed, 43 insertions(+), 2 deletions(-) diff --git a/src/frontends/qt/GuiView.cpp b/src/frontends/qt/GuiView.cpp index 2d8847e8d5..273fa383e7 100644 --- a/src/frontends/qt/GuiView.cpp +++ b/src/frontends/qt/GuiView.cpp @@ -5071,12 +5071,13 @@ void GuiView::dispatch(FuncRequest const & cmd, DispatchResult & dr) break; case LFUN_CITATION_OPEN: { + LASSERT(doc_buffer, break); string pdfv, psv; if (theFormats().getFormat("pdf")) pdfv = theFormats().getFormat("pdf")->viewer(); if (theFormats().getFormat("ps")) psv = theFormats().getFormat("ps")->viewer(); - frontend::showTarget(argument, pdfv, psv); + frontend::showTarget(argument, doc_buffer->absFileName(), pdfv, psv); break; } diff --git a/src/frontends/qt/qt_helpers.cpp b/src/frontends/qt/qt_helpers.cpp index ed2edec2ef..230c89b52a 100644 --- a/src/frontends/qt/qt_helpers.cpp +++ b/src/frontends/qt/qt_helpers.cpp @@ -33,9 +33,12 @@ #include #include #include +#include #include #include +#include #include +#include #include #include #include @@ -292,9 +295,44 @@ void showDirectory(FileName const & directory) qstring_to_ucs4(qurl.toString()))); } -void showTarget(string const & target, string const & pdfv, string const & psv) +void showTarget(string const & target, string const & docpath, + string const & pdfv, string const & psv) { LYXERR(Debug::INSETS, "Showtarget:" << target << "\n"); + + // security measure: ask user before opening if document is not marked trusted. + QSettings settings; + if (!settings.value("trusted documents/" + toqstr(docpath), false).toBool()) { + QCheckBox * dontShowAgainCB = new QCheckBox(); + dontShowAgainCB->setText(qt_("&Trust this document and do not ask me again!")); + dontShowAgainCB->setToolTip(qt_("If you check this, LyX will open all targets without asking for the given document in the future.")); + docstring const warn = + prefixIs(target, "EXTERNAL ") ? + bformat(_("LyX will search your directory for files with the following keywords in their name " + "and then open it in an external application, if a file is found:\n" + "'%1$s'\n" + "Be aware that this might entail security infringements!\n" + "Only do this if you trust origin of the document and the keywords used!\n" + "How do you want to proceed?"), from_utf8(target).substr(9, docstring::npos)) + : bformat(_("LyX wants to open the following link in an external application:\n" + "%1$s\n" + "Be aware that this might entail security infringements!\n" + "Only do this if you trust origin of the document and the target of the link!\n" + "How do you want to proceed?"), from_utf8(target)); + QMessageBox box(QMessageBox::Warning, qt_("Open external target?"), toqstr(warn), + QMessageBox::NoButton, qApp->focusWidget()); + QPushButton * openButton = box.addButton(qt_("&Open Target"), QMessageBox::ActionRole); + box.addButton(QMessageBox::Abort); + box.setCheckBox(dontShowAgainCB); + box.setDefaultButton(QMessageBox::Abort); + box.exec(); + if (box.clickedButton() != openButton) + return; + if (dontShowAgainCB->isChecked()) + settings.setValue("trusted documents/" + + toqstr(docpath), true); + } + if (prefixIs(target, "EXTERNAL ")) { if (!lyxrc.citation_search) return; diff --git a/src/frontends/qt/qt_helpers.h b/src/frontends/qt/qt_helpers.h index f3230b2d32..dc19aea074 100644 --- a/src/frontends/qt/qt_helpers.h +++ b/src/frontends/qt/qt_helpers.h @@ -93,8 +93,10 @@ void setMessageColour(std::list highlighted, void showDirectory(support::FileName const & directory); /// handle request for showing citation content - shows pdf/ps or /// web page in target; external script can be used for pdf/ps view +/// \p docpath holds the document path, /// \p pdfv takes a pad viewer, \p psv a ps viewer void showTarget(std::string const & target, + std::string const & docpath, std::string const & pdfv, std::string const & psv); -- 2.39.5