bug-lilypond
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arbitrary shell command injection in lilypond-invoke-editor


From: Gabriel Corona
Subject: Re: Arbitrary shell command injection in lilypond-invoke-editor
Date: Wed, 22 Nov 2017 21:32:58 +0100
User-agent: NeoMutt/20170609 (1.8.3)

> That means: There only is a real and severe security problem if
> lilypond-invoke-editor is installed to handle non-textedit URIs.
> 
> Does anybody do that? Probably not.
> 
> I think we simply should nuke run-browser and do nothing
> if lilypond-invoke-editor is called with a non-textedit URI.

Disclaimer: I don't use lilypond-invoke-editor. In fact, I don't use
lilypond at all.

The documentation [1] claims that this is the intended usage:

> The program ‘lilypond-invoke-editor’ is a small helper program.  It
> will invoke an editor for the special textedit URIs, and run a web
> browser for others. It tests the environment variable EDITOR for the
> following patterns,

I'm not sure if it's easy to configure per-URI-scheme handlers in many
PDF readers. At least in some cases, the option to use
lilypond-invoke-editor as a generic handler is probably the easiest
one.

For reference, this can be fixed (on non-Windows) with something like:

(define (run-browser uri)
  (let ((browser (if (getenv "BROWSER")
                     (getenv "BROWSER")
                     "firefox")))
  (execlp browser browser uri)))

I guess this fix won't work on Windows. Maybe system* would work?

[1] 
http://lilypond.org/doc/v2.18/Documentation/usage/configuring-the-system-for-point-and-click.html

--
Gabriel



reply via email to

[Prev in Thread] Current Thread [Next in Thread]