https://bugzilla.wikimedia.org/show_bug.cgi?id=29630
Web browser: ---
Bug #: 29630
Summary: Make [[mw:Extension:LilyPond]] safe against DoS
attacks
Product: MediaWiki extensions
Version: any
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: [other]
AssignedTo: [email protected]
ReportedBy: [email protected]
Blocks: 189
Classification: Unclassified
Per bug 189 comment 37[1] and bug 189 comment 105 [2], the current
implementation of the LilyPond extension is not safe. It needs to be improved
in order to not allow [[denial-of-service attacks]] on wikis where it is used.
So, I'm opening this bug to track this specific issue of the extension.
The following pages on MediaWiki.org may be useful:
* [[mw:Security for developers]]
* [[mw:Manual:Security]]
* [[mw:Security for developers]]
Besides, per bug 189 comment 42[3] TeX has similar issues and it was possible
to make it reasonably safe (indeed the <math> tags, added by
[[mw:Extension:Math]], are in use on Wikimedia projects). So, maybe the
solution which was applied there could be adapted to this extension too.
On bug 189 comment 82[4], Aryeh Gregor also indicated some ways in which this
could be fixed:
----
> > But in the same message Graham Percival said that "trying to keep lilypond
> > within certain CPU-time limits is going to be hard". Would this be solved by
> > doing what Dscho said at
> > http://lists.gnu.org/archive/html/lilypond-devel/2009-02/msg00023.html
> > ?
>
> You mean:
>
> > But we could add a simple timeout that says "if this fails to
> > terminate in 20 seconds, it errors _out_".
>
> I assume that would address all DoS concerns, if memory and disk use are also
> limited (either explicitly, or as a practical matter). I'd assume that any
> reasonable score could be created in well under 20 seconds. It wouldn't be
> ideal, though. It would lead to intermittent failure for input that's close
> to
> the limit, and it might cause occasional failures if the server is under high
> load briefly for some reason.
>
> For wikitext, which can also be very slow, we have limits like "no more than X
> of this instruction" instead, calibrated so as to make DoS unlikely.
> Likewise,
> for ImageMagick I believe we have pixel limits on what images it will try to
> resize. This way the software behaves consistently regardless of server load
> or other hard-to-control factors, but it's harder to do, of course.
>
> > After this, was said that "Scheme just should be disabled for the purpose of
> > the MediaWiki extension."
> > (http://lists.gnu.org/archive/html/lilypond-devel/2009-04/msg00265.html).
> > How
> > much of the issues would be solved with this?
>
> I'd assume that disabling Scheme would be necessary, but not sufficient.
After that, on bug 189 comment 87[5], Tim said that this approach "sounds like
an overkill".
[1]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c37
[2]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c105
[3]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c42
[4]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c82
[5]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c87
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
