On Thu, May 21, 2009 at 8:38 AM, Matthias Kilian <[email protected]> wrote: > On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote: >> Yeah, I've just been looking at safe-lily.scm which appears to filter >> any given module against the safe funcs.... >> Also I saw the bit that bans include files when in safe mode. >> So, the CPU style DoS attack aside, do the above two cover all known >> vectors of attack? > > Who knows? You've to audit *all* functions allowed in safe-lily.scm. > And you've to check every future change to those functions. I don't > believe that such a safe mode will ever be enough to make a program > really safe.
There is another option I discussed with Dscho; you could make an --extra-safe mode, which reads the s-exps, but does not call GUILE's eval. It should be feasible to replace the Scheme eval with a simpler one (which does not call functions or macros). This would significantly limit the attack possibilities. -- Han-Wen Nienhuys - [email protected] - http://www.xs4all.nl/~hanwen _______________________________________________ lilypond-user mailing list [email protected] http://lists.gnu.org/mailman/listinfo/lilypond-user
