[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fix security problem in lilypond-invoke-editor (issue 336240043 by addre
From: |
knupero |
Subject: |
Fix security problem in lilypond-invoke-editor (issue 336240043 by address@hidden) |
Date: |
Thu, 23 Nov 2017 00:48:59 -0800 |
Reviewers: ,
Message:
This security problem was introduced in 2005.
Description:
Fix security problem in lilypond-invoke-editor
If lilypond-invoke-editor was installed as a
general uri-helper it was easy to abuse it to
execute arbitrary code on an attacked system.
With this patch lilypond-invoke-editor only
handles textedit URIs.
We could have fixed URI passing to the browser,
but it is not our job to provide a general
URI helper. Other software (e.g. xdg-open and
friends) should be used for that.
Signed-off-by: Knut Petersen <address@hidden>
Please review this at https://codereview.appspot.com/336240043/
Affected files (+11, -20 lines):
M Documentation/de/usage/external.itely
M Documentation/usage/external.itely
M scripts/lilypond-invoke-editor.scm
Index: Documentation/de/usage/external.itely
diff --git a/Documentation/de/usage/external.itely
b/Documentation/de/usage/external.itely
index
6f57989516fd4d001a36e3a98c7c2ab42992a981..5a8fe66bd6974ee1a99a8c83c85af4f1ccf3b20f
100644
--- a/Documentation/de/usage/external.itely
+++ b/Documentation/de/usage/external.itely
@@ -49,8 +49,9 @@ zu finden, indem man auf sie im PDF-Programm klickt. Das
erleichtert
es, die Stellen zu finden, die Fehler in der Notation verursachen.
Wenn diese Funktionalität aktiv ist, fügt LilyPond Hyperlinks zur
-PDF-Datei hinzu. Diese Hyperlinks werden an den Webbrowser gesendet,
-der einen Texteditor mit dem Cursor an der richtigen Stelle öffnet.
+PDF-Datei hinzu. Diese Hyperlinks können an ein @q{URI-Hilfsprogramm}
+gesendet werden, das dann einen Texteditor mit dem Cursor an der
+richtigen Stelle öffnet.
Damit diese Kettenreaktion funktionieren kann, müssen Sie das
PDF-Programm dazu anweisen, Hyperlinks zu folgen, indem das Skript
@@ -65,10 +66,9 @@ entweder in @file{/etc/xpdfrc} oder als
@file{$HOME/.xpdfrc}:
urlCommand "lilypond-invoke-editor %s"
@end example
-Das Programm @file{lilypond-invoke-editor} ist ein kleines
-Hilfsprogramm. Es ruft einen Editor für besondere @code{textedit}-URIs#
-auf und einen Webbrowser für andere. Es testes die Umgebungsvariable
address@hidden nach folgenden Mustern:
+Das Programm @file{lilypond-invoke-editor} ist das @q{URI-Hilfsprogramm}.
+Es ruft einen Editor für @code{textedit}-URIs# auf. Es testet die
+Umgebungsvariable @code{EDITOR} nach folgenden Mustern:
@table @code
@item emacs
Index: Documentation/usage/external.itely
diff --git a/Documentation/usage/external.itely
b/Documentation/usage/external.itely
index
659abd27ba934d002216b614cc92573bddb07db9..00a693c4c2faa022b0b94198ec8bf9fa6d6afcb0
100644
--- a/Documentation/usage/external.itely
+++ b/Documentation/usage/external.itely
@@ -44,9 +44,8 @@ error in the sheet music.
@subsection Configuring the system
When this functionality is active, LilyPond adds hyperlinks to PDF and
-SVG files. These hyperlinks are sent to a @q{URI helper} or a
-web-browser, which opens a text-editor with the cursor in the right
-place.
+SVG files. These hyperlinks are sent to a @q{URI helper}, which opens
+a text-editor with the cursor in the right place.
To make this chain work, you should configure your PDF viewer to
follow hyperlinks using the @file{lilypond-invoke-editor} script
@@ -54,8 +53,8 @@ supplied with LilyPond.
The program @file{lilypond-invoke-editor} is a small helper
program. It will invoke an editor for the special @code{textedit}
-URIs, and run a web browser for others. It tests the environment
-variable @code{EDITOR} for the following patterns,
+URIs. It tests the environment variable @code{EDITOR} for the following
+patterns,
@table @code
@item emacs
Index: scripts/lilypond-invoke-editor.scm
diff --git a/scripts/lilypond-invoke-editor.scm
b/scripts/lilypond-invoke-editor.scm
index
6658f50166dfe4d98f56d2d2aad068d4e291f864..3e485f53ec67abd1e0d18079314164f68e6c6e57
100644
--- a/scripts/lilypond-invoke-editor.scm
+++ b/scripts/lilypond-invoke-editor.scm
@@ -126,13 +126,6 @@ Options:
(_ "failed to invoke editor: ~a") command)
(exit 1)))))
-(define (run-browser uri)
- (system
- (if (getenv "BROWSER")
- (format #f "~a ~a" (getenv "BROWSER") uri)
- (format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri))))
-
-
(define (strip-framework-path var)
(define pat "lilypond/usr")
(if (getenv var)
@@ -169,7 +162,6 @@ Options:
(strip-framework-path "LD_LIBRARY_PATH")
(let* ((uri (car files)))
(if (is-textedit-uri? uri)
- (run-editor uri)
- (run-browser uri)))))
+ (run-editor uri)))))
(main (command-line))
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Fix security problem in lilypond-invoke-editor (issue 336240043 by address@hidden),
knupero <=