Don, as this issue was already closed, I have thake your patch, rebased it to
current master and attached it to a new issue -
https://sourceforge.net/p/testlilyissues/issues/5334/
The developer who had committed the patch for this tracker had asked why the
fix (on this issue) was not enough. Would you mind commenting in that new
tracker listed?
Thank you for your time.
James
---
** [issues:#5243] Fix security problem in lilypond-invoke-editor**
**Status:** Fixed
**Labels:** Fixed _2_21_0
**Created:** Thu Nov 23, 2017 08:35 AM UTC by Knut Petersen
**Last Updated:** Fri May 11, 2018 04:52 PM UTC
**Owner:** David Kastrup
David Kastrup - 22 hours ago
More conservative parsing of textedit URIs
Also contains commits:
Let get-editor use shell-quote-argument
Addresses security concerns.
(editor scm): Add shell-quote-argument function
This is mostly stolen from Emacs.
I have no idea how to properly test this or whether it runs at all.
http://codereview.appspot.com/336450043
*Initial issue for this Tracker (replace by the info above):
*Fix security problem in lilypond-invoke-editor
If lilypond-invoke-editor was installed as a general
uri-helper it was easy to abuse it to execute arbitrary
code on an attacked system for non-textedit URIs.
This part of the problem was discovered and reported
to our bug-lilypond mailing list by Gabriel Corona.
But also pure textedit URIs were vulnerable, an
example is the URI
textedit:///:&xterm -e find ~/&:x:
that executes "find ~/" in a xterm.
With this patch lilypond-invoke-editor only
handles textedit URIs, and it does no longer
use the systems command processor but
guiles system* procedure for those URIs.
Also the script will abort if the line, char and
column fields of a textedit URI contain anything
but digits.
We could have fixed URI passing to the browser,
but it is not our job to provide a general URI helper.
Other software (e.g. xdg-open and friends) should
be used for that.
The security problem fixed now was introduced
into lilypond in the year 2005.
Signed-off-by: Knut Petersen <knut_peter...@t-online.de>
http://codereview.appspot.com/336240043
---
Sent from sourceforge.net because testlilyissues-a...@lists.sourceforge.net is
subscribed to https://sourceforge.net/p/testlilyissues/issues/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/testlilyissues/admin/issues/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Testlilyissues-auto mailing list
testlilyissues-a...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
