[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Arbitrary shell command injection in lilypond-invoke-editor
From: |
Gabriel Corona |
Subject: |
Re: Arbitrary shell command injection in lilypond-invoke-editor |
Date: |
Wed, 22 Nov 2017 21:32:58 +0100 |
User-agent: |
NeoMutt/20170609 (1.8.3) |
> That means: There only is a real and severe security problem if
> lilypond-invoke-editor is installed to handle non-textedit URIs.
>
> Does anybody do that? Probably not.
>
> I think we simply should nuke run-browser and do nothing
> if lilypond-invoke-editor is called with a non-textedit URI.
Disclaimer: I don't use lilypond-invoke-editor. In fact, I don't use
lilypond at all.
The documentation [1] claims that this is the intended usage:
> The program ‘lilypond-invoke-editor’ is a small helper program. It
> will invoke an editor for the special textedit URIs, and run a web
> browser for others. It tests the environment variable EDITOR for the
> following patterns,
I'm not sure if it's easy to configure per-URI-scheme handlers in many
PDF readers. At least in some cases, the option to use
lilypond-invoke-editor as a generic handler is probably the easiest
one.
For reference, this can be fixed (on non-Windows) with something like:
(define (run-browser uri)
(let ((browser (if (getenv "BROWSER")
(getenv "BROWSER")
"firefox")))
(execlp browser browser uri)))
I guess this fix won't work on Windows. Maybe system* would work?
[1]
http://lilypond.org/doc/v2.18/Documentation/usage/configuring-the-system-for-point-and-click.html
--
Gabriel