[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Arbitrary shell command injection in lilypond-invoke-editor
From: |
Knut Petersen |
Subject: |
Re: Arbitrary shell command injection in lilypond-invoke-editor |
Date: |
Wed, 22 Nov 2017 19:02:38 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
Am 15.11.2017 um 00:12 schrieb Gabriel Corona:
In fact, in lilypond-invoke-editor's case it's even worse than that as
lilypond-invoke-editor can be used to execute arbitrary commands:
BROWSER="chromium" /usr/bin/lilypond-invoke-editor
"http://www.example.com/ & xterm"
BROWSER="chromium" /usr/bin/lilypond-invoke-editor
"http://www.example.com/&xterm"
I have to admit that I never used lilypond-invoke-editor, but it is obvious that
Gabriels report is correct. Thanks for reporting the problem, Gabriel!
BUT: In lilypond-invoke-editor we have:
(define (is-textedit-uri? uri)
(string-match "^textedit:" uri))
[...]
(define (run-browser uri)
(system
(if (getenv "BROWSER")
(format #f "~a ~a" (getenv "BROWSER") uri)
(format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri))))
[...]
(let* ((uri (car files)))
(if (is-textedit-uri? uri)
(run-editor uri)
(run-browser uri)))))
It would be possible to fix handling of URIs for browsers, but as long as
lilypond-invoke-editor is only called for textedit URIs, run-browser will not
be executed.
That means: There only is a real and severe security problem if
lilypond-invoke-editor is installed to handle non-textedit URIs.
Does anybody do that? Probably not.
I think we simply should nuke run-browser and do nothing
if lilypond-invoke-editor is called with a non-textedit URI.
Knut