[texworks] Script: Questions about the API

T T t34www at googlemail.com
Wed Apr 14 18:29:12 CEST 2010

On 14 April 2010 00:43, Paul A Norman <paul.a.norman at gmail.com> wrote:
> I can see the need to be a little bit careful, if the user didn't
> watch what they were doing (especially someone supplying scripts to
> users who otherwise have no scripting knowledge) bad stuff could
> happen to other files especially in Windows many flavours of which
> have few permission safeguards - and whcih for practical resons many
> users run in Administrator mode..

But the same can be said about any piece of software (script or not).
You just shouldn't run software, which you don't trust (at least not
without special precautions like limited account or virtual machine).

It is valid to restrict what documents can do -- opening a .tex or
.pdf file should not launch rockets and start 3rd World War -- but
applying the same rules to extension plugins makes little sense to me.
 This doesn't improve security in any meaningful way but only removes
useful functionality.

Just to give an example of another application I'm familiar with: Ipe
(a LaTeX friendly drawing editor) is extensible through Lua scripts
(it is actually partially written in Lua).  The plugin scripts (called
Ipelets) are sandboxed, but only for fault protection and isolation,
otherwise they are granted the same privileges as the main application
enjoys including file access and system calls.



More information about the texworks mailing list