Re: lilypond via web interface: security considerations

[Han-Wen Nienhuys]

On Thu, May 21, 2009 at 8:38 AM, Matthias Kilian <address@hidden> wrote:
> On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
>> Yeah, I've just been looking at safe-lily.scm which appears to filter
>> any given module against the safe funcs....
>> Also I saw the bit that bans include files when in safe mode.
>> So, the CPU style DoS attack aside, do the above two cover all known
>> vectors of attack?
>
> Who knows? You've to audit *all* functions allowed in safe-lily.scm.
> And you've to check every future change to those functions. I don't
> believe that such a safe mode will ever be enough to make a program
> really safe.

There is another option I discussed with Dscho;  you could make an
--extra-safe mode, which reads the s-exps, but does not call GUILE's
eval.  It should be feasible to replace the Scheme eval with a simpler
one (which does not call functions or macros).  This would
significantly limit the attack possibilities.

-- 
Han-Wen Nienhuys - address@hidden - http://www.xs4all.nl/~hanwen