DescriptionFix security problem in lilypond-invoke-editor
If lilypond-invoke-editor was installed as a
general uri-helper it was easy to abuse it to
execute arbitrary code on an attacked system
for non-textedit URIs. This part of the problem
was discovered and reported to our bug-lilypond
mailing list by Gabriel Corona.
But also pure textedit URIs were vulnerable,
an example is the URI
textedit:///:&xterm -e find ~/&:x:
that executes "find ~/" in a xterm.
With this patch lilypond-invoke-editor only
handles textedit URIs, and it does no longer
use the systems command processor but guiles
system* procedure for those URIs.
Also the script will abort if the line, char
and column fields of a textedit URI contain
anything but digits.
We could have fixed URI passing to the browser,
but it is not our job to provide a general
URI helper. Other software (e.g. xdg-open and
friends) should be used for that.
The security problem fixed now was introduced
into lilypond in the year 2005.
Signed-off-by: Knut Petersen <knut_petersen@t-online.de>
Patch Set 1 #Patch Set 2 : Also textedit links are vulnerable, attempt to fix this #Patch Set 3 : Fixing a stupid mistake #
Total comments: 5
Patch Set 4 : Fix that stupid error in line 1, whitespace cleanup #
MessagesTotal messages: 6
|