Message-ID: <BANLkTikdSNdr9R7SaqGk+ty9GnWEaxCDcw@mail.gmail.com>
Date: 2011-05-11T21:31:18Z
From: Hadley Wickham
Subject: How to document man/*.Rd pages with images?
In-Reply-To: <1E65C09B-3C63-47C3-8EF6-2FCE13F61F15@r-project.org>
> Oh, my ... it's worse than I thought. Not only does it run things so you have to wait forever - it actually installs packages behind your back! ?Wow, now there is the nightmare abuse of \Sexpr - the malicious package retrieves private data from your machine and deletes your files... and I was worrying about leaving a tiny crack open for Rhttpd injection attacks - yet there is a big gaping door open to all packages ... Does it mean we need more stringent checks on Rd files now as well since they contain code?
As long as you realise Rd files can run arbitrary R code, you're no
worse off than you were before Rd files could run code. No one is
checking that there's not a function in ggplot2 that secretly sends me
all your code and data ;)
Hadley
--
Assistant Professor / Dobelman Family Junior Chair
Department of Statistics / Rice University
http://had.co.nz/