2009/5/18 Alex <address@hidden>:
I'm wanting to run lilypond behind a web interface as a free tool that
anyone can use. The proof-of-concept seems to work fine. Now I'm
thinking of security considerations. In particular, what input to
lilypond is possible that could have nuisance or destructive effect?
Is it possible to get Lilypond to include a text file? Something like:
\markup { \include "/etc/passwd" }
This doesn't actually work (it just writes out "/etc/passwd"), but if
you find a way of doing this, this would be a potential security
issue. Also, consider what might happen if someone uploads a file
called:
"test.ly; rm /var/www/"
These examples are specific to Linux/UNIX, but there will be
equivalents for any OS.
Regards,
Joe