- Description has changed:
Diff:
~~~~
--- old
+++ new
@@ -1,16 +1,34 @@
Fix security problem in lilypond-invoke-editor
-If lilypond-invoke-editor was installed as a
-general uri-helper it was easy to abuse it to
-execute arbitrary code on an attacked system.
+If lilypond-invoke-editor was installed as a general
+uri-helper it was easy to abuse it to execute arbitrary
+code on an attacked system for non-textedit URIs.
+This part of the problem was discovered and reported
+to our bug-lilypond mailing list by Gabriel Corona.
+
+But also pure textedit URIs were vulnerable, an
+example is the URI
+
+textedit:///:&xterm -e find ~/&:x:
+
+that executes "find ~/" in a xterm.
With this patch lilypond-invoke-editor only
-handles textedit URIs.
+handles textedit URIs, and it does no longer
+use the systems command processor but
+guiles system* procedure for those URIs.
+
+Also the script will abort if the line, char and
+column fields of a textedit URI contain anything
+but digits.
We could have fixed URI passing to the browser,
-but it is not our job to provide a general
-URI helper. Other software (e.g. xdg-open and
-friends) should be used for that.
+but it is not our job to provide a general URI helper.
+Other software (e.g. xdg-open and friends) should
+be used for that.
+
+The security problem fixed now was introduced
+into lilypond in the year 2005.
Signed-off-by: Knut Petersen <[email protected]>
~~~~
- **Needs**: -->
- **Type**: -->
---
** [issues:#5243] Fix security problem in lilypond-invoke-editor**
**Status:** Started
**Created:** Thu Nov 23, 2017 08:35 AM UTC by Knut Petersen
**Last Updated:** Fri Nov 24, 2017 05:26 PM UTC
**Owner:** Knut Petersen
Fix security problem in lilypond-invoke-editor
If lilypond-invoke-editor was installed as a general
uri-helper it was easy to abuse it to execute arbitrary
code on an attacked system for non-textedit URIs.
This part of the problem was discovered and reported
to our bug-lilypond mailing list by Gabriel Corona.
But also pure textedit URIs were vulnerable, an
example is the URI
textedit:///:&xterm -e find ~/&:x:
that executes "find ~/" in a xterm.
With this patch lilypond-invoke-editor only
handles textedit URIs, and it does no longer
use the systems command processor but
guiles system* procedure for those URIs.
Also the script will abort if the line, char and
column fields of a textedit URI contain anything
but digits.
We could have fixed URI passing to the browser,
but it is not our job to provide a general URI helper.
Other software (e.g. xdg-open and friends) should
be used for that.
The security problem fixed now was introduced
into lilypond in the year 2005.
Signed-off-by: Knut Petersen <[email protected]>
http://codereview.appspot.com/336240043
---
Sent from sourceforge.net because [email protected] is
subscribed to https://sourceforge.net/p/testlilyissues/issues/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/testlilyissues/admin/issues/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Testlilyissues-auto mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
