It's easy to get confused in this matter.

On 11/15 2017 Gabriel reported the BROWSER bug, see 
http://lists.gnu.org/archive/html/bug-lilypond/2017-11/msg00024.html.

Eight days later I opend issue 5243 and proposed a patch to fix the BROWSER bug 
and a 2nd security problem related to TEXTEDIT links. My proposed solution was 
to fix the TEXTEDIT code and to completely kill the vulnerable BROWSER code.

Later David proposed an alternative patch in the same issue 5243, that patch 
was  choosen to be integrated into lilypond master. Maybe that patch was the 
better solution for the TEXTEDIT problem, but David's patch did nothing to fix 
the BROWSER bug.

Now Don Armstrong reminds us with his patch that the BROWSER bug is still 
present and proposes a valid solution of that security problem.

Does 'firefox --remote URL' still work? I don't know, I don't care. I'd remove 
the code, but I probably will not complain if it survives another decade. Maybe 
someone will propose a patch to adapt the BROWSER related code to our modern 
software environments.

David's TEXTEDIT code is already in master, apply Don's patch and both security 
holes are closed in that branch.

Probably the TEXTEDT and BROWSER patches should also be part of a 
security-fix-release  2.18.3.


---

** [issues:#5334] Use system* instead of system when invoking browser**

**Status:** Started
**Created:** Sat Jun 02, 2018 06:03 PM UTC by pkx166h
**Last Updated:** Mon Jun 11, 2018 05:31 PM UTC
**Owner:** pkx166h
**Attachments:**

- 
[0001-use-system-instead-of-system.patch](https://sourceforge.net/p/testlilyissues/issues/5334/attachment/0001-use-system-instead-of-system.patch)
 (1.3 kB; text/x-patch)


 Don Armstrong - 2018-05-11

I have just uploaded a fix to Debian which switches to using system* instead of 
system:
https://salsa.debian.org/debian/lilypond/commit/788b56e4b7f62637481af65b4b2929649c30fe78

Not sure if this is cross-platform enough, but it solves the issue for systems 
with a working system* call.


---

Sent from sourceforge.net because [email protected] is 
subscribed to https://sourceforge.net/p/testlilyissues/issues/

To unsubscribe from further messages, a project admin can change settings at 
https://sourceforge.net/p/testlilyissues/admin/issues/options.  Or, if this is 
a mailing list, you can unsubscribe from the mailing list.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Testlilyissues-auto mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
  • [Lilypond-... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto
    • [Lily... Auto mailings of changes to Lily Issues via Testlilyissues-auto

Reply via email to