Re: lilypond via web interface: security considerations

[Matthias Kilian]

On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
> Yeah, I've just been looking at safe-lily.scm which appears to filter 
> any given module against the safe funcs....
> Also I saw the bit that bans include files when in safe mode.
> So, the CPU style DoS attack aside, do the above two cover all known 
> vectors of attack?

Who knows? You've to audit *all* functions allowed in safe-lily.scm.
And you've to check every future change to those functions. I don't
believe that such a safe mode will ever be enough to make a program
really safe.

> >We'd like to add this functionality to lilypond itself, but that
> >takes more coding, of course.  And such patches would need to be
> >examined very carefully; a badly-implemented security feature is
> >worse than no security feature at all!
> >  
> Oh yeah. Not to be taken lightly!
> I suppose there could be an argument that protecting against resource 
> hogging isn't in the remit of the lilypond itself - it's more a 
> usage/context consideration - but it could be handy to have in embedded 
> in lilypond.

No, why? You can limit resource access (cpu, memory, disk, network)
from whatever starts lilypond.  Adding such functionality to lilypond
makes the code more complex and error-prone.

Ciao,
        Kili