> [EMAIL PROTECTED] writes:
> > >>>>> "Han-Wen" == Han-Wen Nienhuys <[EMAIL PROTECTED]> writes:
> >
> > Han-Wen> Any version that uses TeX do output has lots of holes.
> > Han-Wen> You can do
> >
> > Han-Wen> \header{ bla = "}\input /etc/passwd \def\bla{" }
> >
> > Han-Wen> to get /etc/passwd into the output.
> >
> > ok, i've disallowed the string "\input". are there any other ways a
> > tex file can reach out to its environment?
>
> there is no way to make this fool proof.
>
> \def\bla{put}\csname in\bla\endcsname
>
> doesn't match your grep, while it has the same eeffect
Isn't the trick, then, to disallow all back-slashes in the \header section.
This means that you lose the possibility to include some special symbols
in the header but since ly2dvi understands all ISO Latin 1 characters,
you can still get almost anything you want.
By the way, there used to be a bug ly2dvi so it can't parse the
Lilypond generated .tex file if you included curly brackets in any
header field. The problem is that Lilypond inserts newlines at the
brackets and ly2dvi could only parse single line definitions.
I don't know if the problem still remains. If it does, it's maybe
a (crude) solution to most of the security problems.
/Mats
