Hans, I have other comments for embedded files, but I need more time to compose them. Right now I would like to comment an issue with the following source: \setupinteraction[state=start] \starttext \startTEXpage[offset=1em] \attachment[/home/ousia/xml-mkiv.pdf] [name=new-name.pdf, title=Title, subtitle=Subtitle, method=hidden, author=author] \stopTEXpage \stoptext If method=hidden, a /Names dictionary is added, with the following content: 9 0 obj << /Names [ (/home/ousia/xml-mkiv.pdf) 2 0 R ] >> endobj In some scenarios, this could be a security issue. Wouldn’t it be possible that the content of the /Names entries would be replaced by the option keys title or name from \attachment? Many thanks for your help, Pablo -- http://www.ousia.tk
On 3/20/2019 10:46 PM, Pablo Rodriguez wrote:
Hans,
I have other comments for embedded files, but I need more time to compose them.
Right now I would like to comment an issue with the following source:
\setupinteraction[state=start] \starttext \startTEXpage[offset=1em] \attachment[/home/ousia/xml-mkiv.pdf] [name=new-name.pdf, title=Title, subtitle=Subtitle, method=hidden, author=author] \stopTEXpage \stoptext
If method=hidden, a /Names dictionary is added, with the following content:
9 0 obj << /Names [ (/home/ousia/xml-mkiv.pdf) 2 0 R ] >> endobj
In some scenarios, this could be a security issue.
Wouldn’t it be possible that the content of the /Names entries would be replaced by the option keys title or name from \attachment? could be an option (not that i see a security risk here but flagging something as a 'security issue' seems to be popular anyway
but ... no changes in that bit of code for the next few weeks as we're in the tex live code freeze window Hans ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | www.pragma-ade.nl | www.pragma-pod.nl -----------------------------------------------------------------
On 3/21/19 6:35 PM, Hans Hagen wrote:
On 3/20/2019 10:46 PM, Pablo Rodriguez wrote:
[...] In some scenarios, this could be a security issue.
Wouldn’t it be possible that the content of the /Names entries would be replaced by the option keys title or name from \attachment? could be an option (not that i see a security risk here but flagging something as a 'security issue' seems to be popular anyway
Hans, flagging it as a “security issue” was maybe too much from my part. But companies tend to be paranoid with this kind of issues (more a question of public relations).
but ... no changes in that bit of code for the next few weeks as we're in the tex live code freeze window
I can wait. I will make other proposals in the meantime... Many thanks for your help, Pablo -- http://www.ousia.tk
Pablo Rodriguez schrieb am 24.03.19 um 18:12:
On 3/21/19 6:35 PM, Hans Hagen wrote:
On 3/20/2019 10:46 PM, Pablo Rodriguez wrote:
[...] In some scenarios, this could be a security issue.
Wouldn’t it be possible that the content of the /Names entries would be replaced by the option keys title or name from \attachment? could be an option (not that i see a security risk here but flagging something as a 'security issue' seems to be popular anyway
Use \attachment[file=<filename>] instead of \attachment[<filename>] The name of the first argument can be used to refer to a previously defined attachment (can be done with \registerattachment) but ConTeXt supports a file for backwards compatibility. Wolfgang
On 3/24/19 6:59 PM, Wolfgang Schuster wrote:
[...] \attachment[file=<filename>]
instead of
\attachment[<filename>]
The name of the first argument can be used to refer to a previously defined attachment (can be done with \registerattachment) but ConTeXt supports a file for backwards compatibility.
Sorry, Wolfgang, I don’t get it. With the following source: \setupinteraction[state=start] \starttext \startTEXpage[offset=1em] \attachment [file=/home/ousia/xml-mkiv.pdf, name=new-name.pdf, title=Title, subtitle=Subtitle, method=hidden, author=author] \stopTEXpage \stoptext I get the following PDF object: << /Names [ (/home/ousia/xml-mkiv.pdf) 2 0 R ]
Nothing changed here (compared to my original report). Or were you giving me hints of better command usage? Many thanks for your help, Pablo -- http://www.ousia.tk
On 3/24/19 6:59 PM, Wolfgang Schuster wrote:
[...] \attachment[file=<filename>]
instead of
\attachment[<filename>]
The name of the first argument can be used to refer to a previously defined attachment (can be done with \registerattachment) but ConTeXt supports a file for backwards compatibility. Sorry, Wolfgang, I don’t get it.
With the following source:
\setupinteraction[state=start] \starttext \startTEXpage[offset=1em] \attachment [file=/home/ousia/xml-mkiv.pdf, name=new-name.pdf, title=Title, subtitle=Subtitle, method=hidden, author=author] \stopTEXpage \stoptext
I get the following PDF object:
<< /Names [ (/home/ousia/xml-mkiv.pdf) 2 0 R ] Nothing changed here (compared to my original report). No, I assumed you get the default “auto” in the /Names entry when you don’t
Or were you giving me hints of better command usage? This wasn’t he case here but I suggest to use the first argument only to
Pablo Rodriguez schrieb am 24.03.19 um 21:13: pass the name of the attached file in the first argument but I'm wrong here. pass the name of a \defineattachment or \registerattachment instance. Wolfgang
participants (3)
-
Hans Hagen -
Pablo Rodriguez -
Wolfgang Schuster