From ffc71354d07012bd0eb7e5d83291d8d096c04ac6 Mon Sep 17 00:00:00 2001 From: Pavel Sanda Date: Fri, 1 May 2009 09:15:32 +0000 Subject: [PATCH] Revert part of http://www.lyx.org/trac/changeset/29412 http://www.mail-archive.com/lyx-devel@lists.lyx.org/msg150458.html git-svn-id: svn://svn.lyx.org/lyx/lyx-devel/trunk@29461 a592a061-630c-0410-9148-cb99ea01b6c8 --- lib/doc/Customization.lyx | 164 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 164 insertions(+) diff --git a/lib/doc/Customization.lyx b/lib/doc/Customization.lyx index 5bf98a7d1d..1c0e63e693 100644 --- a/lib/doc/Customization.lyx +++ b/lib/doc/Customization.lyx @@ -15557,5 +15557,169 @@ status collapsed files needs the relative name in order to rewrite the file content. \end_layout +\begin_layout Section +\begin_inset CommandInset label +LatexCommand label +name "sec:Security-discussion" + +\end_inset + +Security discussion +\end_layout + +\begin_layout Standard +\begin_inset Box Shadowbox +position "t" +hor_pos "c" +has_inner_box 1 +inner_pos "t" +use_parbox 0 +width "100col%" +special "none" +height "1in" +height_special "totalheight" +status open + +\begin_layout Plain Layout +WARNING: This section is definitely outdated. +\end_layout + +\end_inset + + +\end_layout + +\begin_layout Standard +The external material feature interfaces with a lot of external programs + and does so automatically, so we have to consider the security implications + of this. + In particular, since you have the option of including your own filenames + and/or parameter strings and those are expanded into a command, it seems + that it would be possible to create a malicious document which executes + arbitrary commands when a user views or prints the document. + This is something we definitely want to avoid. +\end_layout + +\begin_layout Standard +However, since the external program commands are specified in the template + configuration file only, there are no security issues if LyX is properly + configured with safe templates only. + This is so because the external programs are invoked with the +\begin_inset Flex CharStyle:Code +status collapsed + +\begin_layout Plain Layout +execvp +\end_layout + +\end_inset + +-system call rather than the +\begin_inset Flex CharStyle:Code +status collapsed + +\begin_layout Plain Layout +system +\end_layout + +\end_inset + + system-call, so it's not possible to execute arbitrary commands from the + filename or parameter section via the shell. +\end_layout + +\begin_layout Standard +This also implies that you are restricted in what command strings you can + use in the external material templates. + In particular, pipes and redirection are not readily available. + This has to be so if LyX should remain safe. + If you want to use some of the shell features, you should write a safe + script to do this in a controlled manner, and then invoke the script from + the command string. + In the +\begin_inset Flex CharStyle:Code +status collapsed + +\begin_layout Plain Layout +lib/scripts +\end_layout + +\end_inset + + directory of the LyX installation, you can find a safe wrapper script +\begin_inset Flex CharStyle:Code +status collapsed + +\begin_layout Plain Layout +general_command_wrapper.py +\end_layout + +\end_inset + + that supports redirection of input and output. + That can serve as an example for how to write safe template scripts. + For a more advanced example that uses +\begin_inset Flex CharStyle:Code +status collapsed + +\begin_layout Plain Layout +fork +\end_layout + +\end_inset + + and friends, take a look at the +\begin_inset Flex CharStyle:Code +status collapsed + +\begin_layout Plain Layout +pic2ascii.py +\end_layout + +\end_inset + + converter script. +\end_layout + +\begin_layout Standard +It is possible to design a template that interacts directly with the shell, + but since this would allow a malicious user to execute arbitrary commands + by writing clever filenames and/or parameters, we generally recommend that + you only use safe scripts that work with the +\begin_inset Flex CharStyle:Code +status collapsed + +\begin_layout Plain Layout +execvp +\end_layout + +\end_inset + + system call in a controlled manner. + Of course, for use in a controlled environment, it can be tempting to just + fall back to use ordinary shell scripts. + If you do so, be aware that you +\emph on +will +\emph default + provide an easily exploitable security hole in your system. + Of course it stands to reason that such unsafe templates will never be + included in the standard LyX distribution, although we do encourage people + to submit new templates in the open source tradition. + But LyX as shipped from the official distribution channels will never have + unsafe templates. +\end_layout + +\begin_layout Standard +Including external material provides a lot of power, and you have to be + careful not to introduce security hazards with this power. + A subtle error in a single line in an innocent looking script can open + the door to huge security problems. + So if you do not fully understand the issues, we recommend that you consult + a knowledgeable security professional or the LyX development team if you + have any questions about whether a given template is safe or not. + And do this before you use it in an uncontrolled environment. +\end_layout + \end_body \end_document -- 2.39.2