lilypond-auto
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] #5334 Use syst

From: Auto mailings of changes to Lily Issues via Testlilyissues-auto
Subject: [Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] #5334 Use system* instead of system when invoking browser
Date: Mon, 11 Jun 2018 22:00:40 -0000

It's easy to get confused in this matter.

On 11/15 2017 Gabriel reported the BROWSER bug, see http://lists.gnu.org/archive/html/bug-lilypond/2017-11/msg00024.html.

Eight days later I opend issue 5243 and proposed a patch to fix the BROWSER bug and a 2nd security problem related to TEXTEDIT links. My proposed solution was to fix the TEXTEDIT code and to completely kill the vulnerable BROWSER code.

Later David proposed an alternative patch in the same issue 5243, that patch was choosen to be integrated into lilypond master. Maybe that patch was the better solution for the TEXTEDIT problem, but David's patch did nothing to fix the BROWSER bug.

Now Don Armstrong reminds us with his patch that the BROWSER bug is still present and proposes a valid solution of that security problem.

Does 'firefox --remote URL' still work? I don't know, I don't care. I'd remove the code, but I probably will not complain if it survives another decade. Maybe someone will propose a patch to adapt the BROWSER related code to our modern software environments.

David's TEXTEDIT code is already in master, apply Don's patch and both security holes are closed in that branch.

Probably the TEXTEDT and BROWSER patches should also be part of a security-fix-release 2.18.3.

[issues:#5334] Use system* instead of system when invoking browser

Status: Started
Created: Sat Jun 02, 2018 06:03 PM UTC by pkx166h
Last Updated: Mon Jun 11, 2018 05:31 PM UTC
Owner: pkx166h
Attachments:

Don Armstrong - 2018-05-11

I have just uploaded a fix to Debian which switches to using system* instead of system:
https://salsa.debian.org/debian/lilypond/commit/788b56e4b7f62637481af65b4b2929649c30fe78

Not sure if this is cross-platform enough, but it solves the issue for systems with a working system* call.

Sent from sourceforge.net because address@hidden is subscribed to https://sourceforge.net/p/testlilyissues/issues/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/testlilyissues/admin/issues/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Testlilyissues-auto mailing list
address@hidden
https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
reply via email to
[Prev in Thread] Current Thread [Next in Thread]