|
From: | Auto mailings of changes to Lily Issues via Testlilyissues-auto |
Subject: | [Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] #5243 Fix security problem in lilypond-invoke-editor |
Date: | Fri, 24 Nov 2017 17:57:07 -0000 |
Diff:
--- old +++ new @@ -1,16 +1,34 @@ Fix security problem in lilypond-invoke-editor -If lilypond-invoke-editor was installed as a -general uri-helper it was easy to abuse it to -execute arbitrary code on an attacked system. +If lilypond-invoke-editor was installed as a general +uri-helper it was easy to abuse it to execute arbitrary +code on an attacked system for non-textedit URIs. +This part of the problem was discovered and reported +to our bug-lilypond mailing list by Gabriel Corona. + +But also pure textedit URIs were vulnerable, an +example is the URI + +textedit:///:&xterm -e find ~/&:x: + +that executes "find ~/" in a xterm. With this patch lilypond-invoke-editor only -handles textedit URIs. +handles textedit URIs, and it does no longer +use the systems command processor but +guiles system* procedure for those URIs. + +Also the script will abort if the line, char and +column fields of a textedit URI contain anything +but digits. We could have fixed URI passing to the browser, -but it is not our job to provide a general -URI helper. Other software (e.g. xdg-open and -friends) should be used for that. +but it is not our job to provide a general URI helper. +Other software (e.g. xdg-open and friends) should +be used for that. + +The security problem fixed now was introduced +into lilypond in the year 2005. Signed-off-by: Knut Petersen <address@hidden>
[issues:#5243] Fix security problem in lilypond-invoke-editor
Status: Started
Created: Thu Nov 23, 2017 08:35 AM UTC by Knut Petersen
Last Updated: Fri Nov 24, 2017 05:26 PM UTC
Owner: Knut Petersen
Fix security problem in lilypond-invoke-editor
If lilypond-invoke-editor was installed as a general
uri-helper it was easy to abuse it to execute arbitrary
code on an attacked system for non-textedit URIs.
This part of the problem was discovered and reported
to our bug-lilypond mailing list by Gabriel Corona.
But also pure textedit URIs were vulnerable, an
example is the URI
textedit:///:&xterm -e find ~/&:x:
that executes "find ~/" in a xterm.
With this patch lilypond-invoke-editor only
handles textedit URIs, and it does no longer
use the systems command processor but
guiles system* procedure for those URIs.
Also the script will abort if the line, char and
column fields of a textedit URI contain anything
but digits.
We could have fixed URI passing to the browser,
but it is not our job to provide a general URI helper.
Other software (e.g. xdg-open and friends) should
be used for that.
The security problem fixed now was introduced
into lilypond in the year 2005.
Signed-off-by: Knut Petersen address@hidden
http://codereview.appspot.com/336240043
Sent from sourceforge.net because address@hidden is subscribed to https://sourceforge.net/p/testlilyissues/issues/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/testlilyissues/admin/issues/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Testlilyissues-auto mailing list address@hidden https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
[Prev in Thread] | Current Thread | [Next in Thread] |