[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lilypond via web interface: security considerations
From: |
Graham Percival |
Subject: |
Re: lilypond via web interface: security considerations |
Date: |
Thu, 21 May 2009 19:46:48 +0800 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
> Graham Percival wrote:
>> On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote:
>>
>> This is what -dsafe does. However, this disallows many useful
>> tweaks, and also doesn't stop a particular snippet from using
>> massive CPU resources. To counteract a DOS attack, you'd need to
>> have a separate thread that kills the lilypond process if it takes
>> longer than X seconds.
>>
> Yeah, I've just been looking at safe-lily.scm which appears to filter
> any given module against the safe funcs....
> Also I saw the bit that bans include files when in safe mode.
> So, the CPU style DoS attack aside, do the above two cover all known
> vectors of attack?
I doubt it. I'm pretty sure that safe mode allows loops, so you
could just write a four-line lilypond file which adds up numbers
in an infinite loop. Boom, DOS.
Cheers,
- Graham
- Re: lilypond via web interface: security considerations, (continued)
- Re: lilypond via web interface: security considerations, Mike Blackstock, 2009/05/19
- Re: lilypond via web interface: security considerations, Daniel Hulme, 2009/05/20
- Re: lilypond via web interface: security considerations, Alex, 2009/05/20
- Re: lilypond via web interface: security considerations, Graham Percival, 2009/05/20
- Re: lilypond via web interface: security considerations, Alex, 2009/05/21
- Re: lilypond via web interface: security considerations, Matthias Kilian, 2009/05/21
- Re: lilypond via web interface: security considerations, Alex, 2009/05/21
- Re: lilypond via web interface: security considerations, Han-Wen Nienhuys, 2009/05/21
- Re: lilypond via web interface: security considerations,
Graham Percival <=
- Re: lilypond via web interface: security considerations, Alex, 2009/05/20
- Re: lilypond via web interface: security considerations, Mike Blackstock, 2009/05/21
- Re: lilypond via web interface: security considerations, Graham Percival, 2009/05/22
- Re: lilypond via web interface: security considerations, Alex, 2009/05/22
- Re: lilypond via web interface: security considerations, Hans Aberg, 2009/05/22
- Re: lilypond via web interface: security considerations, Mike Blackstock, 2009/05/22