Hey Don,
The original fix for this issue was in three commits
author David Kastrup
Tue, 28 Nov 2017 11:18:07 + (12:18 +0100)
committer David Kastrup
Thu, 25 Jan 2018 11:25:41 + (12:25 +0100)
commit 807f5eb8cd631133da3be6897e3e8fa7202e089d
Don, as this issue was already closed, I have thake your patch, rebased it to
current master and attached it to a new issue -
https://sourceforge.net/p/testlilyissues/issues/5334/
The developer who had committed the patch for this tracker had asked why the
fix (on this issue) was not enough.
The fix is merged. It just does not involve run-browser. This would likely
warrant additional shell-quoting here or possibly just removing the run-browser
functionality if we see no clean way to make this work.
---
** [issues:#5243] Fix security problem in lilypond-invoke-editor**
Yes, someone should verify that on windows/mac systems.
It's a bit OT here, but thinking about general security in lilypond I ask
myself how many people would try to compile a lilypond source file that
contains something like #(ly:system-with-shell "some_unexpected_command").
There is a safe
"Knut Petersen" writes:
>> We also have to inspect every other use of scm_system,
> e.g. backend_library.scm .If someone offers to run lilypond on a
> server, a similar attack might be (probably is) possible.
>
> Converting to pdf looks pretty save to me.
>
> We do filter
> We also have to inspect every other use of scm_system, e.g.
> backend_library.scm .If someone offers to run lilypond on a server, a similar
> attack might be (probably is) possible.
Converting to pdf looks pretty save to me.
We do filter characters in \bookOutputSuffix, but something like
We also have to inspect every other use of scm_system, e.g. backend_library.scm
.If someone offers to run lilypond on a server, a similar attack might be
(probably is) possible. I think there are characters allowed in filenames that
have special meaning to a number of shells. Even if suspcious
You probably tested patch set #3 that contained a mistake. Set #4 builds fine
here.
---
** [issues:#5243] Fix security problem in lilypond-invoke-editor**
**Status:** Started
**Created:** Thu Nov 23, 2017 08:35 AM UTC by Knut Petersen
**Last Updated:** Fri Nov 24, 2017 09:57 PM UTC
**Owner:**