Graham Percival wrote:
On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote:
An alternative for my own context could be to just offer a subset of
lilypond functionality, and reject any output that goes beyond that.
This is what -dsafe does. However, this disallows many useful
tweaks, and also doesn't stop a particular snippet from using
massive CPU resources. To counteract a DOS attack, you'd need to
have a separate thread that kills the lilypond process if it takes
longer than X seconds.
Yeah, I've just been looking at safe-lily.scm which appears to filter
any given module against the safe funcs....
Also I saw the bit that bans include files when in safe mode.
So, the CPU style DoS attack aside, do the above two cover all known
vectors of attack?
We'd like to add this functionality to lilypond itself, but that
takes more coding, of course. And such patches would need to be
examined very carefully; a badly-implemented security feature is
worse than no security feature at all!
Oh yeah. Not to be taken lightly!
I suppose there could be an argument that protecting against resource
hogging isn't in the remit of the lilypond itself - it's more a
usage/context consideration - but it could be handy to have in embedded
in lilypond.
lex
Cheers,
- Graham
_______________________________________________
lilypond-user mailing list
lilypond-user@gnu.org
http://lists.gnu.org/mailman/listinfo/lilypond-user
