Re: lilypond via web interface: security considerations

[Alex]

Graham Percival wrote:
> On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote:
>   
> > An alternative for my own context could be to just offer a subset of  
> > lilypond functionality, and reject any output that goes beyond that.  
> >     
>
> This is what -dsafe does.  However, this disallows many useful
> tweaks, and also doesn't stop a particular snippet from using
> massive CPU resources.  To counteract a DOS attack, you'd need to
> have a separate thread that kills the lilypond process if it takes
> longer than X seconds.
>   
Yeah, I've just been looking at safe-lily.scm which appears to filter 
any given module against the safe funcs....
Also I saw the bit that bans include files when in safe mode.
So, the CPU style DoS attack aside, do the above two cover all known 
vectors of attack?

> We'd like to add this functionality to lilypond itself, but that
> takes more coding, of course.  And such patches would need to be
> examined very carefully; a badly-implemented security feature is
> worse than no security feature at all!
>   
Oh yeah. Not to be taken lightly!
I suppose there could be an argument that protecting against resource 
hogging isn't in the remit of the lilypond itself - it's more a 
usage/context consideration - but it could be handy to have in embedded 
in lilypond.
lex

> Cheers,
> - Graham
>
>