Knut Petersen <knut_peter...@t-online.de> writes: > 12 years ago a security problem was introduced into lilypond-invoke-editor. > On 2017/11/15 the problem was reported to the bug-lilypond mailing > list by Gabriel Corona.
[...] > If you do not know if you are affected: > > 1.: locate lilypond-invoke-editor > > 2. Open lilypond-invoke-editor in your favorite text editor. Search for > > (if (is-textedit-uri? uri) > (run-editor uri) > (run-browser uri))))) > > and replace it with > > (if (is-textedit-uri? uri) > (run-editor uri))))) Stupid question: what does run-editor do to be inherently safer than run-browser, and what would prevent run-browser from doing the same? The reason I am asking is that changing the semantics significantly before 2.20 is icky, yet we would not want to leave a security hole around we have been given notice of. So the question is whether there would not be a sort-of trivial patchup of this preserving the original intent. For the long haul, it's probably the right fix on GNU/Linux systems. I just have no idea how this would affect other systems and possibly our installers. -- David Kastrup _______________________________________________ lilypond-user mailing list lilypond-user@gnu.org https://lists.gnu.org/mailman/listinfo/lilypond-user
