I’ve just published the disclosure of a vulnerability in a piece of code that’s sometimes recommend by the Ruby on Rails community (and possibly others) for use with Sublime Text. ‘Subl’ was a protocol handler for subl:// URLs and lived at https://github.com/dhoulb/subl.
I discovered a nasty vulnerability in this protocol handler that could result in command execution if someone was tricked into clicking on a maliciously crafted link.
The author has since removed it from Github, and you should delete it from your computer. There are alternatives.
I’ve written up an advisory here:
https://inopinatus.org/2017/08/02/shell-command-execution-vulnerability-in-subl-a-third-party-sublime-text-url-handler/
stay safe everyone!