Re: Bug#311997: ITP: gaim-latex -- gaim plugin wich translate LaTeX code into image in conversation
On Mon, Jun 06, 2005 at 04:00:47PM -0400, Daniel Jacobowitz wrote:
> On Mon, Jun 06, 2005 at 08:45:11PM +0200, Martin Braure de Calignon wrote:
> > Le lundi 06 juin 2005 à 14:28 -0400, Anthony DeRobertis a écrit :
> > > Roberto C. Sanchez wrote:
> > > Ummm, I think you've missed my point. The thread is discussing a GAIM
> > > (instant message client) plugin. So that script is not run by you, it is
> > > run by an arbitrary stranger sending you an instant message, but on your
> > > machine and as you. That's why its a problem.
> > >
> > > Looks like if you installed this package, I could send you an IM and
> > > overwrite an arbitrary file on your machine.
> > >
> > > [This is just judging from the code snippet posted; don't have time to
> > > fully audit the software.]
> > >
> > >
> > Well, you're right.
> > So I think I won't package it. Do I have to do something special with
> > the BTS ? Close the bug ? add a wont-fix tag ?
>
> Make a version which generates the image on the sending side?
[...]
That would be a *very* nice plugin. The bad thing about the current
plugin isn't only the security concern: it requires that the recipient
have the plugin installed. If the image is generated on the sending
side, it solves the security problem, and also makes it possible to
send (La)TeX fragments to arbitrary recipients with no additional
hassle. I think this is worth considering.
T
--
Chance favours the prepared mind. -- Louis Pasteur
Reply to: