Re: lilypond_cgi.pl

Tue, 3 Nov 1998 00:31:01 -0500 

>>>>> "morty" == Mordechai T Abzug <[EMAIL PROTECTED]> writes:

    morty> From a security perspective, you should disallow
    morty> *everything* by default, and then explicitly allow stuff
    morty> you recognize to be good.

you mean by defining what constitutes an acceptable line of mudela?
i'm not sure how that would work.  a file of mudela will be pretty
flexible in its arrangement and can contain lyrics and comments.  i
wonder if by trying to define what is allowable i wouldn't run even
more risk of letting something slip through.  i mean, since it can
contain english text in the lyrics, i'd have to allow any english
words in any combination and with any punctuation.

the approach i'm trying to take instead is to say, "what can lilypond
be made to do by being given a mudela file to process?"  and to
disable all the bad things.  i know there's a chance we'll miss
something, but it seems to me a finite problem as opposed to asking
what makes a syntactically security-acceptable chunk of mudela script,
since that syntax can include the syntax of the language of the
lyrics/comments as well (whichever language that may be).

maybe i don't clearly understand what you're suggesting.


my way of looking at the problem is to consider what could happen as
the score gets passed to each of the three programs that works on it.
i can think of two things that could happen:  either they could be
made to run malicious code, or they could be used to reveal
information about the server.  so,

ly2dvi -- don't know of anything that could be put into a score to
          make ly2dvi run code or write to files other than those it's
          supposed to.  someone could try
          \output "/etc/passwd";
          , but it wouldn't do anything since the script is running as
          nobody.  am still open to suggestions of how it could be
          used to read in system files and display them amidst the output.
dvips  -- don't know what could be inserted into the resulting dvi
          file that could cause a problem.  anyone?
ps_to_gifs -- don't know what could be inserted into the resulting
              postscript file that could cause a problem.  anyone?


so, what's a better way of thinking about and approaching this?

-- 
|----------------------------------------------------------------------------|
| jeff covey [EMAIL PROTECTED] http://pobox.com/~jeff.covey/ 410-669-4926 |
|----------------------------------------------------------------------------|
|   Beware of bugs in the above code; I have only proved it correct, not     |
|   tried it. -- Donald Knuth                                                |
|----------------------------------------------------------------------------|

Reply via email to