It's easy to get confused in this matter.
On 11/15 2017 Gabriel reported the BROWSER bug, see
http://lists.gnu.org/archive/html/bug-lilypond/2017-11/msg00024.html.
Eight days later I opend issue 5243 and proposed a patch to fix the BROWSER bug
and a 2nd security problem related to TEXTEDIT links. My proposed solution was
to fix the TEXTEDIT code and to completely kill the vulnerable BROWSER code.
Later David proposed an alternative patch in the same issue 5243, that patch
was choosen to be integrated into lilypond master. Maybe that patch was the
better solution for the TEXTEDIT problem, but David's patch did nothing to fix
the BROWSER bug.
Now Don Armstrong reminds us with his patch that the BROWSER bug is still
present and proposes a valid solution of that security problem.
Does 'firefox --remote URL' still work? I don't know, I don't care. I'd remove
the code, but I probably will not complain if it survives another decade. Maybe
someone will propose a patch to adapt the BROWSER related code to our modern
software environments.
David's TEXTEDIT code is already in master, apply Don's patch and both security
holes are closed in that branch.
Probably the TEXTEDT and BROWSER patches should also be part of a
security-fix-release 2.18.3.
---
** [issues:#5334] Use system* instead of system when invoking browser**
**Status:** Started
**Created:** Sat Jun 02, 2018 06:03 PM UTC by pkx166h
**Last Updated:** Mon Jun 11, 2018 05:31 PM UTC
**Owner:** pkx166h
**Attachments:**
-
[0001-use-system-instead-of-system.patch](https://sourceforge.net/p/testlilyissues/issues/5334/attachment/0001-use-system-instead-of-system.patch)
(1.3 kB; text/x-patch)
Don Armstrong - 2018-05-11
I have just uploaded a fix to Debian which switches to using system* instead of
system:
https://salsa.debian.org/debian/lilypond/commit/788b56e4b7f62637481af65b4b2929649c30fe78
Not sure if this is cross-platform enough, but it solves the issue for systems
with a working system* call.
---
Sent from sourceforge.net because [email protected] is
subscribed to https://sourceforge.net/p/testlilyissues/issues/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/testlilyissues/admin/issues/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Testlilyissues-auto mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
