"James Lowe" <[email protected]> writes: > Herr Petersen, > > On Wed, 13 Dec 2017 14:53:58 +0100, Knut Petersen > <[email protected]> wrote: > >> Am 12.12.2017 um 11:54 schrieb James Lowe: >> > Hello, >> > >> > Here is the current patch countdown list. The next countdown will be on >> > December 16th. >> >> We still have a severe security hole in lilypond, and a patch is available. >> See https://sourceforge.net/p/testlilyissues/issues/5243/ > > Yes I see a patch is available. > >> >> It would take only minutes to prepare a pdf that starts to recursively >> wipe out the home directory of any user who opens that pdf in evince, >> mupdf etc. if support for textedit links is installed as recommended >> in our documentation. textedit links also might be embedded in html. > > I don't doubt that your comments are valid, however looking at that > tracker thread and not being a developer I cannot tell if this was > still under discussion and it looked like, to my inexperienced eyes > anyway, that there was some dispute or reasoning that still needed > confirmation. > > So, if this tracker is NOT supposed to be at 'needs_work' then by all > means set it back to review. However, to save more compilation > failures, can you rebase the patch to current master as it has been a > while since your patch was uploaded. > > Then I can see what needs to be done.
I'll upload a different and more generic patch today that doesn't change as much but sort-of opens a different can of worms. But it would need testing on Windows and I don't really know how to do that even half-reliably. -- David Kastrup _______________________________________________ lilypond-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/lilypond-devel
