Policy for opening url links in documents
Jürgen Spitzmüller
jspitzm at gmail.com
Thu Aug 17 06:54:43 UTC 2023
Am Mittwoch, dem 16.08.2023 um 14:33 -0400 schrieb Scott Kostyshak:
> I think Daniel is talking about:
>
> Document > Settings > Format > Output > "Allow running external
> programs"
Or, for that matter, Tools > Preferences > File Handling > Converters >
Use needauth option
>
> Whether 5 or 6, I wonder if it would be helpful to combine the
> preferences. i.e., have a preference "Trust document content", and
> then
> allow the user finer control if they prefer?
I also think it should be something along the line of shell escape,
i.e., people can chose to trust open link or abort, and they can decide
to trust the document. An important issue is that, if people chose to
trust the document, the trust should only hold on the current computer
(as with shell escape). Otherwise evil persons could set the trust
before sending.
So a dialog that says:
----
LyX wants to open the following link in an external application:
<url>
Be aware that this might entail security infringements. Only do this if
you trust the target!
How do you want to proceed?
[Open link] [Abort (=default)]
[ ] Trust this document and do not ask me again!
---
I am not sure we really need a pref to bypass this measure, or disable
the feature completely (as in needauth). This strikes me
overregulation.
BTW are we talking URLs only or also links to local files? If the
latter is also considered to be harmful, things will get significantly
more complicated if lyxpaperview.py is involved.
The dialog above can be implemented easily (for web links).
--
Jürgen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 508 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lyx.org/pipermail/lyx-devel/attachments/20230817/7fd6a565/attachment-0001.asc>
More information about the lyx-devel
mailing list