Page MenuHomePhabricator
Create Task
Maniphest T171372

Find alternative to safe mode in Lilypond
Closed, ResolvedPublic
Actions

Description

When typesetting a score, the command being run uses the -dsafe option, of which ensures security against malicious code, but also removes many disparate features that would be useful to the extension. This safeguard is very important, but is very rigid. Lilypond has an alternative, meant specifically for web use, but is somewhat harder to setup.

As outlined in their manual, it involves running in a chroot jail and using the --jail option. The manual also has documentation on its implications and instructions to setup (on the linked page).

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/Scoremaster+10 -3Add option to use `-dsafe` argument in Lilypond command
Customize query in gerrit

Revisions and Commits

rESCR extension-Score
rESCR8db2ac5cf0a9 Run lilypond from inside firejail

Related Objects
Search...

Event Timeline

Ebe123 created this task.Jul 22 2017, 4:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 22 2017, 4:25 AM
Ebe123 added a subtask: T161293: Paper format with Score extension in Wikipedia is A4 only.Jul 22 2017, 4:26 AM
Ebe123 added a subtask: T60526: Score: Colors names (e.g. #red) are not recognized.
Ebe123 added a subtask: T54883: Usage of variables should be possible in lilypond code.
Roomsixhu added a subscriber: Roomsixhu.Jul 22 2017, 12:56 PM
Ebe123 added a project: Security-General.Jul 25 2017, 5:32 AM

Something to figure out is just how feasible it is. This is the solution to most of the big problems there are currently, but would be hard to implement. Further, various systems have different workflows to create a chroot jail, if there is at all; Windows does not as an example. Part of the implementation would thus be adding this as an option, and passed around the extension to modify the commands.

Other extensions, such as MediaWiki-extensions-Scribunto have a "sandbox" approach, and one extension, Extension:Pipes uses our approach, but is unsupported, and with a big warning attached.

Reedy removed subtasks: T54883: Usage of variables should be possible in lilypond code, T60526: Score: Colors names (e.g. #red) are not recognized, T161293: Paper format with Score extension in Wikipedia is A4 only.Aug 5 2017, 1:37 AM
Reedy mentioned this in T172582: Run score binaries in a firejail.Aug 5 2017, 1:40 AM
Ebe123 updated the task description. (Show Details)Aug 5 2017, 1:55 AM
Ebe123 added subtasks: T54883: Usage of variables should be possible in lilypond code, T60526: Score: Colors names (e.g. #red) are not recognized, T161293: Paper format with Score extension in Wikipedia is A4 only.
Ebe123 added a comment.Aug 5 2017, 1:59 AM

The '-dsafe' option disables many different features from use in our <score tags, and so even though these subtasks look unrelated, they all have the same root cause it seems.

Ebe123 added a comment.EditedAug 5 2017, 3:03 AM

Another solution is to use firejail. This may be easier to setup. ( Thanks @Reedy )

Ebe123 added a subscriber: Reedy.Aug 5 2017, 3:04 AM
Ebe123 moved this task from Backlog to In Progress on the MediaWiki-extensions-Score board.Aug 5 2017, 4:27 AM
Ebe123 claimed this task.Aug 5 2017, 4:29 AM
gerritbot added a subscriber: gerritbot.Aug 5 2017, 5:13 AM

Change 370306 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[mediawiki/extensions/Score@master] Run lilypond from inside firejail

https://gerrit.wikimedia.org/r/370306

gerritbot added a project: Patch-For-Review.Aug 5 2017, 5:13 AM
Ebe123 added a commit: rESCR8db2ac5cf0a9: Run lilypond from inside firejail.Aug 5 2017, 5:15 AM
gerritbot added a comment.Aug 5 2017, 10:37 PM

Change 370358 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/mediawiki-config@master] Run Lilypond from Firejail

https://gerrit.wikimedia.org/r/370358

gerritbot added a comment.Aug 5 2017, 11:41 PM

Change 370361 had a related patch set uploaded (by Ebe123; owner: Ebe123):
[operations/puppet@production] Run Lilypond from Firejail

https://gerrit.wikimedia.org/r/370361

Reedy added a parent task: T172582: Run score binaries in a firejail.Aug 6 2017, 12:50 AM
Reedy removed a subtask: T54883: Usage of variables should be possible in lilypond code.
Reedy added a parent task: T54883: Usage of variables should be possible in lilypond code.
Reedy removed a subtask: T60526: Score: Colors names (e.g. #red) are not recognized.Aug 6 2017, 12:53 AM
Reedy added a parent task: T60526: Score: Colors names (e.g. #red) are not recognized.
Reedy removed a subtask: T161293: Paper format with Score extension in Wikipedia is A4 only.
Reedy added a parent task: T161293: Paper format with Score extension in Wikipedia is A4 only.
Reedy added a comment.Aug 6 2017, 12:56 AM

I just realised another reason I got confused with those tasks, they weren't the right way round; the fact lilypond is not run in a firejail, and as such, does run in safe mode, prevents those features etc. They don't prevent this.

Also, see T172582, we should ideally run all the binaries that Score shells out to in firejails

Ebe123 removed a parent task: T172582: Run score binaries in a firejail.Aug 6 2017, 2:06 AM
Ebe123 added a parent task: T172582: Run score binaries in a firejail.Aug 6 2017, 2:43 AM
Ebe123 renamed this task from Run lilypond from inside a chroot jail to Find alternative to safe mode in Lilypond.Aug 6 2017, 2:50 AM

A global on whether to use the -dsafe option could be $wgScoreSafeMode, which the patch is providing.

Ebe123 added a parent task: T49604: Score should support note names in other languages.Aug 7 2017, 10:26 PM
dpatrick added a subscriber: dpatrick.Aug 17 2017, 6:01 PM
gerritbot added a comment.Aug 28 2017, 9:21 PM

Change 370306 merged by jenkins-bot:
[mediawiki/extensions/Score@master] Add option to use -dsafe argument in Lilypond command

https://gerrit.wikimedia.org/r/370306

Ebe123 closed this task as Resolved.Aug 29 2017, 12:16 AM
Ebe123 mentioned this in T174413: Set $wgScoreSafeMode to false.

An option has been set to enable/disable SafeMode, so now T174413: Set $wgScoreSafeMode to false is left for Wikimedia Wikis.

Reedy mentioned this in T257062: Lilypond seemingly not subject to restrictions (CVE-2020-29007).Jul 3 2020, 4:43 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL