Gabriel Corona - 2018-06-03
See The Secure BROWSER Specification for some analysis on how the BROWSER
variable could/should work.
https://www.dwheeler.com/browse/secure_browser.html
The BROWSER variable is not really specified and at least 3 different behaviors
exist:
some programs use the BROWSER variable as a program to invoke;
some programs use the BROWSER variable as a colon-separated list of
candidate programs to invoke;
some additionaly have support for %s-expansion.
Some programs some don't expand the program in several argument, some do expand
the program in different arguments based on spaces, some pass the result to
system (alowing shell commands in the BROWSER variable).
In contract, the .desktop spec clearly defines how the string should be split
in different arguments.
https://standards.freedesktop.org/desktop-entry-spec/latest/ar01s07.html
---
** [issues:#5342] lilypond-invoke-editor only should only handle textedit URIs**
**Status:** New
**Created:** Mon Jun 11, 2018 05:26 PM UTC by pkx166h
**Last Updated:** Mon Jun 11, 2018 05:26 PM UTC
**Owner:** nobody
This came out of both
https://sourceforge.net/p/testlilyissues/issues/5243/
and
https://sourceforge.net/p/testlilyissues/issues/5334/
>From Knut Petersen - 2018-06-03
I think that lilypond-invoke-editor only should only handle textedit URIs. It
might be a good idea to have a 2nd look at the patch I suggested in 2017.
https://codereview.appspot.com/336240043
https://sourceforge.net/p/testlilyissues/issues/5243/
On top of current master
git revert aee02594be68a968bb843f87d3264777099e46b4
git revert 39f800a7e5acb7cc5da6424c99fd2690e389495a
git revert 807f5eb8cd631133da3be6897e3e8fa7202e089d
wget https://codereview.appspot.com/download/issue336240043_60001.diff
would be needed to for a test build.
In 2017 one objection was that my patch does not change the code in lily.scm
... do you we really need to change that code? I don't see a problem as the
code is executed by lilypond, we give the arguments. But maybe I don't have the
imagination to see a security hole ...
---
Sent from sourceforge.net because [email protected] is
subscribed to https://sourceforge.net/p/testlilyissues/issues/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/testlilyissues/admin/issues/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Testlilyissues-auto mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
