[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor

2018-06-03 Thread Auto mailings of changes to Lily Issues via Testlilyissues-auto
Hey Don, The original fix for this issue was in three commits author David Kastrup Tue, 28 Nov 2017 11:18:07 + (12:18 +0100) committer David Kastrup Thu, 25 Jan 2018 11:25:41 + (12:25 +0100) commit 807f5eb8cd631133da3be6897e3e8fa7202e089d

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor

2018-06-02 Thread Auto mailings of changes to Lily Issues via Testlilyissues-auto
Don, as this issue was already closed, I have thake your patch, rebased it to current master and attached it to a new issue - https://sourceforge.net/p/testlilyissues/issues/5334/ The developer who had committed the patch for this tracker had asked why the fix (on this issue) was not enough.

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor

2018-03-19 Thread Auto mailings of changes to Lily Issues via Testlilyissues-auto
The fix is merged. It just does not involve run-browser. This would likely warrant additional shell-quoting here or possibly just removing the run-browser functionality if we see no clean way to make this work. --- ** [issues:#5243] Fix security problem in lilypond-invoke-editor**

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor

2017-11-25 Thread Auto mailings of changes to Lily Issues via Testlilyissues-auto
Yes, someone should verify that on windows/mac systems. It's a bit OT here, but thinking about general security in lilypond I ask myself how many people would try to compile a lilypond source file that contains something like #(ly:system-with-shell "some_unexpected_command"). There is a safe

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor

2017-11-25 Thread Auto mailings of changes to Lily Issues via Testlilyissues-auto
"Knut Petersen" writes: >> We also have to inspect every other use of scm_system, > e.g. backend_library.scm .If someone offers to run lilypond on a > server, a similar attack might be (probably is) possible. > > Converting to pdf looks pretty save to me. > > We do filter

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor

2017-11-25 Thread Auto mailings of changes to Lily Issues via Testlilyissues-auto
> We also have to inspect every other use of scm_system, e.g. > backend_library.scm .If someone offers to run lilypond on a server, a similar > attack might be (probably is) possible. Converting to pdf looks pretty save to me. We do filter characters in \bookOutputSuffix, but something like

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor

2017-11-24 Thread Auto mailings of changes to Lily Issues via Testlilyissues-auto
We also have to inspect every other use of scm_system, e.g. backend_library.scm .If someone offers to run lilypond on a server, a similar attack might be (probably is) possible. I think there are characters allowed in filenames that have special meaning to a number of shells. Even if suspcious

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] Re: #5243 Fix security problem in lilypond-invoke-editor

2017-11-24 Thread Auto mailings of changes to Lily Issues via Testlilyissues-auto
You probably tested patch set #3 that contained a mistake. Set #4 builds fine here. --- ** [issues:#5243] Fix security problem in lilypond-invoke-editor** **Status:** Started **Created:** Thu Nov 23, 2017 08:35 AM UTC by Knut Petersen **Last Updated:** Fri Nov 24, 2017 09:57 PM UTC **Owner:**