Hello Gabriel On Sun, 18 Mar 2018 01:14:20 -0000, "Gabriel Corona" <[email protected]> wrote:
> AFAIU, the fix of lilypond-invoke-editor is not merged. I still have this: > > ~~~ > (define (run-browser uri) > (system > (if (getenv "BROWSER") > (format #f "~a ~a" (getenv "BROWSER") uri) > (format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri)))) > ~~~ You also said: With this patch lilypond-invoke-editor only handles textedit URIs, and it does no longer use the systems command processor but guiles system* procedure for those URIs. AFAIU, this is not completely true. It does handle other URIs. If there's no intent to fix the command injection vulnerability in lilypond-invoke-editor, run-browser and the (run-browser ...) branch in main should be removed altogether. Another solution would be to (shell-quote-argument uri) in run-browser (though I'd be more confident with using system on non-Windows). > > Sent from sourceforge.net ... > <https://sourceforge.net/p/testlilyissues/issues/5243/> I am ccing the dev group in email as this issue is marked as 'closed/fixed' and the code is checked in to current master so if we need to do something more we may need to create a new ticket than re-open this. You may not get discussion thread going via a closed ticket. Maybe someone in the dev team can comment. Regards James _______________________________________________ lilypond-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/lilypond-devel
