bug#28811: 11.90.2.2017-07-25; preview-at-point

[Ken Sharp]

At 18:16 04/11/2017 +0100, David Kastrup wrote:

> > Well the obvious suggestion is simply 'don't use SAFER and DELAYSAFER'
> > because then you don't need .runandhide :-)
>
> They are there for a reason, aren't they?

Yes, though I would (and have) argued against them. The interpreter is 
intended to be able to access the file system (as permitted by the language 
specification). Nevertheless, the capability exists to prevent that, 
because people asked for it.


> It's rendering individual PostScript files in an order determined by the
> current position in a viewer (in this case an Emacs file), and the
> individual files are externally provided, so they may contain malicious
> code.

Provided they are in the current directory, as far as I'm aware you don't 
need to break SAFER for them, because the Current worming directory is 
permitted. I can't recall if that requires -P- or not, it may do.


> Pretty much the principal reason for the existence of DELAYSAFER.

DELAYSAFER is there to permit operations to be concluded that won't work if 
you have SAFER. This is, however, a massive security hole, there are nay 
number of implementations and 'recipes' out there which use SAFER and 
DELAYSAFER and never call .setsafe. Also WRITESYSTEMDICT and other things.

In any event, DELAYSAFER hasn't changed.


> This uses Ghostscript interactively via pipes (or a tty, I forget
> which): if there was a mode "be unsafe on the Ghostscript interpreter
> command line and safe within files read from there", that would work.

No way that Ghostscript can tell the difference, at the interpreter level, 
it all just comes in as streamed data.


> How are safe PostScript viewers to be implemented now?

Well, you can use SAFER, you can even use DELAYSAFER, that has not changed. 
What I'm questioning is the use of .runandhide.


                    Ken