[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lilypond via web interface: security considerations

From: Alex
Subject: Re: lilypond via web interface: security considerations
Date: Thu, 21 May 2009 11:41:36 +0100
User-agent: Thunderbird (Windows/20090302)

Graham Percival wrote:
On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote:
An alternative for my own context could be to just offer a subset of lilypond functionality, and reject any output that goes beyond that.

This is what -dsafe does.  However, this disallows many useful
tweaks, and also doesn't stop a particular snippet from using
massive CPU resources.  To counteract a DOS attack, you'd need to
have a separate thread that kills the lilypond process if it takes
longer than X seconds.
Yeah, I've just been looking at safe-lily.scm which appears to filter any given module against the safe funcs....
Also I saw the bit that bans include files when in safe mode.
So, the CPU style DoS attack aside, do the above two cover all known vectors of attack?

We'd like to add this functionality to lilypond itself, but that
takes more coding, of course.  And such patches would need to be
examined very carefully; a badly-implemented security feature is
worse than no security feature at all!
Oh yeah. Not to be taken lightly!
I suppose there could be an argument that protecting against resource hogging isn't in the remit of the lilypond itself - it's more a usage/context consideration - but it could be handy to have in embedded in lilypond.

- Graham

reply via email to

[Prev in Thread] Current Thread [Next in Thread]