lilypond-auto
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix

From: Auto mailings of changes to Lily Issues via Testlilyissues-auto
Subject: [Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor
Date: Sat, 02 Jun 2018 18:06:08 -0000

Don, as this issue was already closed, I have thake your patch, rebased it to current master and attached it to a new issue - https://sourceforge.net/p/testlilyissues/issues/5334/

The developer who had committed the patch for this tracker had asked why the fix (on this issue) was not enough. Would you mind commenting in that new tracker listed?

Thank you for your time.

James

[issues:#5243] Fix security problem in lilypond-invoke-editor

Status: Fixed
Labels: Fixed _2_21_0
Created: Thu Nov 23, 2017 08:35 AM UTC by Knut Petersen
Last Updated: Fri May 11, 2018 04:52 PM UTC
Owner: David Kastrup

David Kastrup - 22 hours ago

More conservative parsing of textedit URIs

Also contains commits:

Let get-editor use shell-quote-argument

Addresses security concerns.

(editor scm): Add shell-quote-argument function

This is mostly stolen from Emacs.

I have no idea how to properly test this or whether it runs at all.

http://codereview.appspot.com/336450043

Initial issue for this Tracker (replace by the info above):
Fix security problem in lilypond-invoke-editor

If lilypond-invoke-editor was installed as a general
uri-helper it was easy to abuse it to execute arbitrary
code on an attacked system for non-textedit URIs.
This part of the problem was discovered and reported
to our bug-lilypond mailing list by Gabriel Corona.

But also pure textedit URIs were vulnerable, an
example is the URI

textedit:///:&xterm -e find ~/&:x:

that executes "find ~/" in a xterm.

With this patch lilypond-invoke-editor only
handles textedit URIs, and it does no longer
use the systems command processor but
guiles system* procedure for those URIs.

Also the script will abort if the line, char and
column fields of a textedit URI contain anything
but digits.

We could have fixed URI passing to the browser,
but it is not our job to provide a general URI helper.
Other software (e.g. xdg-open and friends) should
be used for that.

The security problem fixed now was introduced
into lilypond in the year 2005.

Signed-off-by: Knut Petersen address@hidden

http://codereview.appspot.com/336240043

Sent from sourceforge.net because address@hidden is subscribed to https://sourceforge.net/p/testlilyissues/issues/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/testlilyissues/admin/issues/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Testlilyissues-auto mailing list
address@hidden
https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
reply via email to
[Prev in Thread] Current Thread [Next in Thread]