|
From: | Auto mailings of changes to Lily Issues via Testlilyissues-auto |
Subject: | [Lilypond-auto] [LilyIssues-auto] [testlilyissues:issues] #5334 Use system* instead of system when invoking browser |
Date: | Mon, 11 Jun 2018 22:00:40 -0000 |
It's easy to get confused in this matter.
On 11/15 2017 Gabriel reported the BROWSER bug, see http://lists.gnu.org/archive/html/bug-lilypond/2017-11/msg00024.html.
Eight days later I opend issue 5243 and proposed a patch to fix the BROWSER bug and a 2nd security problem related to TEXTEDIT links. My proposed solution was to fix the TEXTEDIT code and to completely kill the vulnerable BROWSER code.
Later David proposed an alternative patch in the same issue 5243, that patch was choosen to be integrated into lilypond master. Maybe that patch was the better solution for the TEXTEDIT problem, but David's patch did nothing to fix the BROWSER bug.
Now Don Armstrong reminds us with his patch that the BROWSER bug is still present and proposes a valid solution of that security problem.
Does 'firefox --remote URL' still work? I don't know, I don't care. I'd remove the code, but I probably will not complain if it survives another decade. Maybe someone will propose a patch to adapt the BROWSER related code to our modern software environments.
David's TEXTEDIT code is already in master, apply Don's patch and both security holes are closed in that branch.
Probably the TEXTEDT and BROWSER patches should also be part of a security-fix-release 2.18.3.
[issues:#5334] Use system* instead of system when invoking browser
Status: Started
Created: Sat Jun 02, 2018 06:03 PM UTC by pkx166h
Last Updated: Mon Jun 11, 2018 05:31 PM UTC
Owner: pkx166h
Attachments:
Don Armstrong - 2018-05-11
I have just uploaded a fix to Debian which switches to using system* instead of system:
https://salsa.debian.org/debian/lilypond/commit/788b56e4b7f62637481af65b4b2929649c30fe78
Not sure if this is cross-platform enough, but it solves the issue for systems with a working system* call.
Sent from sourceforge.net because address@hidden is subscribed to https://sourceforge.net/p/testlilyissues/issues/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/testlilyissues/admin/issues/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Testlilyissues-auto mailing list address@hidden https://lists.sourceforge.net/lists/listinfo/testlilyissues-auto
[Prev in Thread] | Current Thread | [Next in Thread] |