|
From: | Alex |
Subject: | Re: lilypond via web interface: security considerations |
Date: | Thu, 21 May 2009 11:41:36 +0100 |
User-agent: | Thunderbird 2.0.0.21 (Windows/20090302) |
Graham Percival wrote:
Yeah, I've just been looking at safe-lily.scm which appears to filter any given module against the safe funcs....On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote:An alternative for my own context could be to just offer a subset of lilypond functionality, and reject any output that goes beyond that.This is what -dsafe does. However, this disallows many useful tweaks, and also doesn't stop a particular snippet from using massive CPU resources. To counteract a DOS attack, you'd need to have a separate thread that kills the lilypond process if it takes longer than X seconds.
Also I saw the bit that bans include files when in safe mode.So, the CPU style DoS attack aside, do the above two cover all known vectors of attack?
We'd like to add this functionality to lilypond itself, but that takes more coding, of course. And such patches would need to be examined very carefully; a badly-implemented security feature is worse than no security feature at all!
Oh yeah. Not to be taken lightly!I suppose there could be an argument that protecting against resource hogging isn't in the remit of the lilypond itself - it's more a usage/context consideration - but it could be handy to have in embedded in lilypond.
lex
Cheers, - Graham
[Prev in Thread] | Current Thread | [Next in Thread] |