On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote: > An alternative for my own context could be to just offer a subset of > lilypond functionality, and reject any output that goes beyond that.
This is what -dsafe does. However, this disallows many useful tweaks, and also doesn't stop a particular snippet from using massive CPU resources. To counteract a DOS attack, you'd need to have a separate thread that kills the lilypond process if it takes longer than X seconds. We'd like to add this functionality to lilypond itself, but that takes more coding, of course. And such patches would need to be examined very carefully; a badly-implemented security feature is worse than no security feature at all! Cheers, - Graham _______________________________________________ lilypond-user mailing list lilypond-user@gnu.org http://lists.gnu.org/mailman/listinfo/lilypond-user
