Am 15.11.2017 um 00:12 schrieb Gabriel Corona:
In fact, in lilypond-invoke-editor's case it's even worse than that as
lilypond-invoke-editor can be used to execute arbitrary commands:
BROWSER="chromium" /usr/bin/lilypond-invoke-editor
"http://www.example.com/ & xterm"
BROWSER="chromium" /usr/bin/lilypond-invoke-editor
"http://www.example.com/&xterm";
I have to admit that I never used lilypond-invoke-editor, but it is obvious that
Gabriels report is correct. Thanks for reporting the problem, Gabriel!
BUT: In lilypond-invoke-editor we have:
(define (is-textedit-uri? uri)
(string-match "^textedit:" uri))
[...]
(define (run-browser uri)
(system
(if (getenv "BROWSER")
(format #f "~a ~a" (getenv "BROWSER") uri)
(format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri))))
[...]
(let* ((uri (car files)))
(if (is-textedit-uri? uri)
(run-editor uri)
(run-browser uri)))))
It would be possible to fix handling of URIs for browsers, but as long as
lilypond-invoke-editor is only called for textedit URIs, run-browser will not
be executed.
That means: There only is a real and severe security problem if
lilypond-invoke-editor is installed to handle non-textedit URIs.
Does anybody do that? Probably not.
I think we simply should nuke run-browser and do nothing
if lilypond-invoke-editor is called with a non-textedit URI.
Knut
_______________________________________________
bug-lilypond mailing list
bug-lilypond@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-lilypond
