[texworks] TeXworks 0.5 rev _862 would not start ... reveals possible minor security issue

Paul A Norman paul.a.norman at gmail.com
Thu Jul 21 04:32:41 CEST 2011


P.S. if this is viewed as safe enough with the other security features
already in place in TeXworks, it seems to open the door up to having a
core group of scripts available on a LAN server, maintained by an
administrator, with folder short-cut(s) in the Users' script folder(s)
where personalised scripts can be made and placed by Users as well.

I have found that  a direct short-cut to a LAN remote script (not to
the folder but to the script itself) does not work (at least under
Windows), only short-cuts to folders work.

Paul

On 21 July 2011 14:18, Paul A Norman <paul.a.norman at gmail.com> wrote:
> HI,
>
> This could be a feature or a bug...
>
> I have just been though an interesting exercise worth advising others about.
>
> Suddenly I could not open TeXworks, either in filemanger with a
> double click, from a command prompt nor by any other means.
>
> Xp taskmanager would show it churning through CPU for munite after
> minute after minute until I killed its process.
>
> Found that I could run the MikTeX version of TeXworks in the MikTex
> tree, but not a single revision of TeXworks would start from my normal
> portable setup directory.
>
> Canary Chrome was playiong up, but that happens form time to time as
> they try out new releases, (normal Chrome was fine) so..
>
> Virus checker could not find anything.
>
> TeXworks would show in Windows Xp's TaskManager but only under
> processes, it never made it into the real world as an Application. I
> would kill it as a process before trying to restart it. Otherwise it
> could run using a lot of CPU for ages.
>
> Two or more copies of Tw could be started and each have their own
> process - this would not normally be possible.
>
> I had not edited any Tw hook scripts for days, but I renamed their
> suffices all one by one (which deactivated them) and restarted Tw
> imbetween each rename, still nothing happening.
>
> So I moved all my scripts to a new location leaving an empty scripts folder.
>
> Tw started absolutely no issues.
>
> I moved just the top files (not script subdirectories back to the
> script folder) - Tw would not start.
>
> So I left these top directory files out, and only moved subdirectories
> back into the script folder (no files on top level of the script
> directory).
>
> Tw started ok.
>
> So I racked my brains, I had not created any top directory level
> scripts for weeks.
>
> But I had made a shortcut in that level to my General Latex working
> files (all up some 7,000) in total. Was Tw following the shortcut and
> trying to analyse all 7,000 filers to find scripts on start up?
>
> Deleted shortcut, and Tw opened ok.
>
> Made a new folder on harddrive, and made a shortcut to this remote
> folder in the root of the Tw scripts directory.
>
> I put this script below in the remote folder, reloaded scripts and
> sure enough the shortcut appears in the Scripts menu as a directory
> with .lnk suffix (correct), and the script is listed under it and
> works when called by the shortcut.
>
> As from the tenor of previous discussion here, some may view this as a
> security issue, thought I better run the issue publicly  here on the
> list for analysis and a decision, and if it is not thought to be a
> security issue - I really like it!
>
> Paul
>
> // TeXworksScript
> // Title:  trail shortcut
> // Description: Testing whether Shortcuts will be followed in Script directory
> // Author:  Paul Norman
> // Version: 0.1
> // Date: 2011-07-21
> // Script-Type: standalone
> // Context: TeXDocument
> // Shortcut: Alt+T, Alt+A
>
>  TW.information(null, "Short Cut Read", "Short Cut Works");
>
>  null;
>



More information about the texworks mailing list