[texworks] TeXworks 0.5 rev _862 would not start ... reveals possible minor security issue

Stefan Löffler st.loeffler at gmail.com
Thu Jul 21 20:04:46 CEST 2011


On 2011-07-21 04:32, Paul A Norman wrote:
> P.S. if this is viewed as safe enough with the other security features
> already in place in TeXworks, it seems to open the door up to having a
> core group of scripts available on a LAN server, maintained by an
> administrator, with folder short-cut(s) in the Users' script folder(s)
> where personalised scripts can be made and placed by Users as well.

Right now, I don't see that this would be a particular security issue.
Everything/everyone that is able to create a link in the scripts folder
could conceivably also write a script file directly. Or am I overlooking
something here?
In fact, it could be difficult on some systems to prevent links. E.g.,
on Linux there are several types of links, some of which (hardlinks) are
indistinguishable for our purposes (AFAIK).

> I have found that  a direct short-cut to a LAN remote script (not to
> the folder but to the script itself) does not work (at least under
> Windows), only short-cuts to folders work.

My guess is that this is related to the way links work on Windows. IIRC,
they are realized by files with the extension .lnk. I therefore assume
Qt picks up that extension, which doesn't match the ones Tw recognizes
(.js, .py, .lua). We should probably handle this transparently, though
(could you add a GC issue?).


More information about the texworks mailing list