[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lilypond-invoke-editor 'fix' for issue 5243
|
From: |
James Lowe |
|
Subject: |
Re: lilypond-invoke-editor 'fix' for issue 5243 |
|
Date: |
Mon, 19 Mar 2018 11:24:39 +0000 (GMT) |
Hello Gabriel
On Sun, 18 Mar 2018 01:14:20 -0000, "Gabriel Corona" <address@hidden> wrote:
> AFAIU, the fix of lilypond-invoke-editor is not merged. I still have this:
>
> ~~~
> (define (run-browser uri)
> (system
> (if (getenv "BROWSER")
> (format #f "~a ~a" (getenv "BROWSER") uri)
> (format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri))))
> ~~~
You also said:
With this patch lilypond-invoke-editor only
handles textedit URIs, and it does no longer
use the systems command processor but
guiles system* procedure for those URIs.
AFAIU, this is not completely true. It does handle other URIs. If there's no
intent to fix the command injection vulnerability in lilypond-invoke-editor,
run-browser and the (run-browser ...) branch in main should be removed
altogether.
Another solution would be to (shell-quote-argument uri) in run-browser (though
I'd be more confident with using system on non-Windows).
>
> Sent from sourceforge.net ...
> <https://sourceforge.net/p/testlilyissues/issues/5243/>
I am ccing the dev group in email as this issue is marked as 'closed/fixed' and
the code is checked in to current master so if we need to do something more we
may need to create a new ticket than re-open this.
You may not get discussion thread going via a closed ticket.
Maybe someone in the dev team can comment.
Regards
James
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: lilypond-invoke-editor 'fix' for issue 5243,
James Lowe <=