![]() The advantage of my approach is that it's API compatible and merely relies on an additional shell-quote-argument. It's more of a discussion basis than anything else. This is as to yet untested: more likely than not it does not compile/run/work. Why not make it a full review? I am not sure that this is the way to go ahead. Ok, I am attaching a prospective diff here. + +The security problem fixed now was introduced +into lilypond in the year 2005. xdg-open and friends) should +be used for that. +but it is not our job to provide a general URI helper. xdg-open and -friends) should be used for that. but it is not our job to provide a general -URI helper. + +Also the script will abort if the line, char and +column fields of a textedit URI contain anything +but digits. +handles textedit URIs, and it does no longer +use the systems command processor but +guiles system* procedure for those URIs. + +But also pure textedit URIs were vulnerable, an +example is the URI + +textedit:///:&xterm -e find ~/&:x: + +that executes "find ~/" in a xterm. +This part of the problem was discovered and reported +to our bug-lilypond mailing list by Gabriel Corona. +If lilypond-invoke-editor was installed as a general +uri-helper it was easy to abuse it to execute arbitrary +code on an attacked system for non-textedit URIs. If lilypond-invoke-editor was installed as a -general uri-helper it was easy to abuse it to -execute arbitrary code on an attacked system. Signed-off-by: Knut Petersen old +++ new -1,16 +1,34 security problem in lilypond-invoke-editor The security problem fixed now was introduced We could have fixed URI passing to the browser,īut it is not our job to provide a general URI helper. Handles textedit URIs, and it does no longerĪlso the script will abort if the line, char andĬolumn fields of a textedit URI contain anything With this patch lilypond-invoke-editor only To our bug-lilypond mailing list by Gabriel Corona.īut also pure textedit URIs were vulnerable, an This part of the problem was discovered and reported Uri-helper it was easy to abuse it to execute arbitraryĬode on an attacked system for non-textedit URIs. If lilypond-invoke-editor was installed as a general Initial issue for this Tracker (replace by the info above):įix security problem in lilypond-invoke-editor I have no idea how to properly test this or whether it runs at all. (editor scm): Add shell-quote-argument function OTOH a translator might not be interested to be subscribed toīut as you say translators can be CCed when needed.More conservative parsing of textedit URIs In the last years it was used mainly by the catalan translator to share The traffic on has been very very low for some years. Translators can always be CCed in a particular thread The workflow are also important for developers, andīuild issues affect everyone of course. Size of the development community (lilypond-devel,īug-lilypond, issues, merge requests). Towards moving everything on lilypond-devel, because weĪlready have many communication channels compared to the We pick, lilypond-devel or a new mailing list? I lean Without requiring maintenance on our side. Gnu.org, which is proven to have long-term reliability Strive to move discussions to mailing lists hosted by Is (currently) inactive as a developer, I think we should Moreover, as Valentin, the administrator of , Il giorno mar alle 10:45:17 +0200, Jean Abou Samra
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |