[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security problem: lilypond-invoke-editor
|
From: |
David Kastrup |
|
Subject: |
Re: Security problem: lilypond-invoke-editor |
|
Date: |
Thu, 23 Nov 2017 10:23:53 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) |
Knut Petersen <address@hidden> writes:
> 12 years ago a security problem was introduced into lilypond-invoke-editor.
> On 2017/11/15 the problem was reported to the bug-lilypond mailing
> list by Gabriel Corona.
[...]
> If you do not know if you are affected:
>
> 1.: locate lilypond-invoke-editor
>
> 2. Open lilypond-invoke-editor in your favorite text editor. Search for
>
> (if (is-textedit-uri? uri)
> (run-editor uri)
> (run-browser uri)))))
>
> and replace it with
>
> (if (is-textedit-uri? uri)
> (run-editor uri)))))
Stupid question: what does run-editor do to be inherently safer than
run-browser, and what would prevent run-browser from doing the same?
The reason I am asking is that changing the semantics significantly
before 2.20 is icky, yet we would not want to leave a security hole
around we have been given notice of.
So the question is whether there would not be a sort-of trivial patchup
of this preserving the original intent.
For the long haul, it's probably the right fix on GNU/Linux systems. I
just have no idea how this would affect other systems and possibly our
installers.
--
David Kastrup
Re: Security problem: lilypond-invoke-editor, Blöchl Bernhard, 2017/11/23