Menu

#5342 lilypond-invoke-editor only should only handle textedit URIs

Invalid
None
2018-06-16
2018-06-11
No

This came out of both

https://sourceforge.net/p/testlilyissues/issues/5243/

and

https://sourceforge.net/p/testlilyissues/issues/5334/

From Knut Petersen - 2018-06-03

I think that lilypond-invoke-editor only should only handle textedit URIs. It might be a good idea to have a 2nd look at the patch I suggested in 2017.

https://codereview.appspot.com/336240043
https://sourceforge.net/p/testlilyissues/issues/5243/

On top of current master
git revert aee02594be68a968bb843f87d3264777099e46b4
git revert 39f800a7e5acb7cc5da6424c99fd2690e389495a
git revert 807f5eb8cd631133da3be6897e3e8fa7202e089d
wget https://codereview.appspot.com/download/issue336240043_60001.diff
would be needed to for a test build.

In 2017 one objection was that my patch does not change the code in lily.scm ... do you we really need to change that code? I don't see a problem as the code is executed by lilypond, we give the arguments. But maybe I don't have the imagination to see a security hole ...

Discussion

  • Anonymous

    Anonymous - 2018-06-11

    David Kastrup - 2018-06-03

    Having taken a look at the Usage Guide, it would appear that at last in connection with xpdf use, the recommended use would pass all URIs through lilypond-invoke-editor. I have problems finding a reasonable spec for the BROWSER environment variable and the mozilla fallback looks like it would require a nesting of shell and JavaScript(?) quoting, a definite "ugh".

     

    • Anonymous

      Anonymous - 2018-06-11

      Gabriel Corona - 2018-06-03

      See The Secure BROWSER Specification for some analysis on how the BROWSER variable could/should work.

      https://www.dwheeler.com/browse/secure_browser.html

      The BROWSER variable is not really specified and at least 3 different behaviors exist:

      some programs use the BROWSER variable as a program to invoke;
some programs use the BROWSER variable as a colon-separated list of candidate programs to invoke;
some additionaly have support for %s-expansion.

      Some programs some don't expand the program in several argument, some do expand the program in different arguments based on spaces, some pass the result to system (alowing shell commands in the BROWSER variable).

      In contract, the .desktop spec clearly defines how the string should be split in different arguments.

      https://standards.freedesktop.org/desktop-entry-spec/latest/ar01s07.html

       

  • Anonymous

    Anonymous - 2018-06-11

    Gabriel Corona - 2018-06-03

    The Firefox -remote OpenURL(...) in many different programs is a remain from a long past. I doesn't work on recent versions of Firefox (and I think it has not been working for quite a few years).

    If you checkout on aee02594be68a968bb843f87d3264777099e46b4 you still have this vulnerable code:

        (define (run-browser uri)
      (system
       (if (getenv "BROWSER")
           (format #f "~a ~a" (getenv "BROWSER") uri)
           (format #f "firefox -remote 'OpenURL(~a,new-tab)'" uri))))
     

  • Anonymous

    Anonymous - 2018-06-11
    • status: New --> Started
    • assigned_to: Knut Petersen
     

  • Anonymous

    Anonymous - 2018-06-16
    • status: Started --> Invalid
    • assigned_to: Knut Petersen --> pkx166h
     

  • Anonymous

    Anonymous - 2018-06-16

    It b was a mistake (by me) to have created this - see https://sourceforge.net/p/testlilyissues/issues/5334/

    Setting invalid.

     
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.