[EMAIL PROTECTED] writes:
> > [EMAIL PROTECTED] writes:
> > > >>>>> "Han-Wen" == Han-Wen Nienhuys <[EMAIL PROTECTED]> writes:
> > >
> > > Han-Wen> Any version that uses TeX do output has lots of holes.
> > > Han-Wen> You can do
> > >
> > > Han-Wen> \header{ bla = "}\input /etc/passwd \def\bla{" }
> > >
> > > Han-Wen> to get /etc/passwd into the output.
> > >
> > > ok, i've disallowed the string "\input". are there any other ways a
> > > tex file can reach out to its environment?
> >
> > there is no way to make this fool proof.
> >
> > \def\bla{put}\csname in\bla\endcsname
> >
> > doesn't match your grep, while it has the same eeffect
>
>
> Isn't the trick, then, to disallow all back-slashes in the \header section.
That looks like a promising approach. I added it to
the TODO
> By the way, there used to be a bug ly2dvi so it can't parse the
> Lilypond generated .tex file if you included curly brackets in any
> header field. The problem is that Lilypond inserts newlines at the
> brackets and ly2dvi could only parse single line definitions.
> I don't know if the problem still remains. If it does, it's maybe
> a (crude) solution to most of the security problems.
I fixed it, and it wouldn't as security measure anyway (bla =
"foo}\n\def\dangerous{")
>
> /Mats
>
>
>
>
>
--
Han-Wen Nienhuys, [EMAIL PROTECTED] ** GNU LilyPond - The Music Typesetter
http://www.cs.uu.nl/people/hanwen/lilypond/index.html
