2009/5/18 Alex <[email protected]>:
> I'm wanting to run lilypond behind a web interface as a free tool that
> anyone can use. The proof-of-concept seems to work fine. Now I'm
> thinking of security considerations. In particular, what input to
> lilypond is possible that could have nuisance or destructive effect?
>
Is it possible to get Lilypond to include a text file? Something like:
\markup { \include "/etc/passwd" }
This doesn't actually work (it just writes out "/etc/passwd"), but if
you find a way of doing this, this would be a potential security
issue. Also, consider what might happen if someone uploads a file
called:
"test.ly; rm /var/www/"
These examples are specific to Linux/UNIX, but there will be
equivalents for any OS.
Regards,
Joe
_______________________________________________
lilypond-user mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/lilypond-user
