diff options
author | G. Branden Robinson <g.branden.robinson@gmail.com> | 2021-05-31 01:52:03 +1000 |
---|---|---|
committer | G. Branden Robinson <g.branden.robinson@gmail.com> | 2021-05-31 01:52:03 +1000 |
commit | ba329a0aaedcf5716ebbb8ac248663e6a2519a73 (patch) | |
tree | 8f7022caafc022052dd247abab5bb15c5ccd87be /contrib/glilypond/ChangeLog | |
parent | d843db13b7b6ffbadd7678d0f71bea43a1684bf6 (diff) | |
download | groff-git-ba329a0aaedcf5716ebbb8ac248663e6a2519a73.tar.gz |
Apply contrib ChangeLog discipline.
Diffstat (limited to 'contrib/glilypond/ChangeLog')
-rw-r--r-- | contrib/glilypond/ChangeLog | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/contrib/glilypond/ChangeLog b/contrib/glilypond/ChangeLog index 31bd34fd6..d9cc70f54 100644 --- a/contrib/glilypond/ChangeLog +++ b/contrib/glilypond/ChangeLog @@ -1,3 +1,34 @@ +2021-01-06 Colin Watson <cjwatson@debian.org> + + * glilypond.pl: Avoid Perl's unsafe "<>" operator. + + The "<>" operator is implemented using the two-argument form of + "open", which interprets magic such as pipe characters, allowing + execution of arbitrary commands which is unlikely to be + expected. Perl >= 5.22 has a "<<>>" operator which avoids this, + but also forbids the use of "-" to mean the standard input, + which is a facility that the affected groff programs document. + + ARGV::readonly would probably also fix this, but I fundamentally + dislike the approach of escaping data in preparation for a + language facility to unescape it, especially when the required + escaping is as non-obvious as it is here. (For the same reason, + I prefer to use subprocess invocation facilities that allow + passing the argument list as a list rather than as a string to + be interpreted by the shell.) So I've abandoned this dubious + convenience and changed the affected programs to iterate over + command-line arguments manually using the three-argument form of + open. + + glilypond doesn't need the initial unshift since that's already + handled in args.pl. + + Fixes <https://savannah.gnu.org/bugs/?55557>. + +2020-04-22 G. Branden Robinson <g.branden.robinson@gmail.com> + + * glilypond.1.man: Delete references to groffer. + 2018-02-28 Werner LEMBERG <wl@gnu.org> * glilypond.am (glilypond): Use $(AM_V_GEN) to silence file generation. |