[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] #5243 Fix secu

From: Auto mailings of changes to Lily Issues via Testlilyissues-auto
Subject: [Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] #5243 Fix security problem in lilypond-invoke-editor
Date: Sun, 28 Jan 2018 12:28:26 -0000

author  David Kastrup <address@hidden> 
Tue, 28 Nov 2017 11:18:07 +0000 (12:18 +0100)
committer   David Kastrup <address@hidden> 
Thu, 25 Jan 2018 11:25:41 +0000 (12:25 +0100)
commit  807f5eb8cd631133da3be6897e3e8fa7202e089d
author  David Kastrup <address@hidden> 
Tue, 28 Nov 2017 11:19:02 +0000 (12:19 +0100)
committer   David Kastrup <address@hidden> 
Thu, 25 Jan 2018 11:25:48 +0000 (12:25 +0100)
commit  39f800a7e5acb7cc5da6424c99fd2690e389495a
author  David Kastrup <address@hidden> 
Tue, 28 Nov 2017 11:19:30 +0000 (12:19 +0100)
committer   David Kastrup <address@hidden> 
Thu, 25 Jan 2018 11:25:53 +0000 (12:25 +0100)
commit  aee02594be68a968bb843f87d3264777099e46b4

[issues:#5243] Fix security problem in lilypond-invoke-editor

Status: Fixed
Labels: Fixed _2_21_0
Created: Thu Nov 23, 2017 08:35 AM UTC by Knut Petersen
Last Updated: Thu Jan 25, 2018 11:14 AM UTC
Owner: David Kastrup

David Kastrup - 22 hours ago

More conservative parsing of textedit URIs

Also contains commits:

Let get-editor use shell-quote-argument

Addresses security concerns.

(editor scm): Add shell-quote-argument function

This is mostly stolen from Emacs.

I have no idea how to properly test this or whether it runs at all.

Initial issue for this Tracker (replace by the info above):
Fix security problem in lilypond-invoke-editor

If lilypond-invoke-editor was installed as a general
uri-helper it was easy to abuse it to execute arbitrary
code on an attacked system for non-textedit URIs.
This part of the problem was discovered and reported
to our bug-lilypond mailing list by Gabriel Corona.

But also pure textedit URIs were vulnerable, an
example is the URI

textedit:///:&xterm -e find ~/&:x:

that executes "find ~/" in a xterm.

With this patch lilypond-invoke-editor only
handles textedit URIs, and it does no longer
use the systems command processor but
guiles system* procedure for those URIs.

Also the script will abort if the line, char and
column fields of a textedit URI contain anything
but digits.

We could have fixed URI passing to the browser,
but it is not our job to provide a general URI helper.
Other software (e.g. xdg-open and friends) should
be used for that.

The security problem fixed now was introduced
into lilypond in the year 2005.

Signed-off-by: Knut Petersen address@hidden

Sent from because address@hidden is subscribed to

To unsubscribe from further messages, a project admin can change settings at Or, if this is a mailing list, you can unsubscribe from the mailing list.

Check out the vibrant tech community on one of the world's most
engaging tech sites,!
Testlilyissues-auto mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]