Per bug 189 comment 37[1] and bug 189 comment 105 [2], the current implementation of the LilyPond extension is not safe. It needs to be improved in order to not allow [[denial-of-service attacks]] on wikis where it is used.
So, I'm opening this bug to track this specific issue of the extension.
The following pages on MediaWiki.org may be useful:
- [[mw:Security for developers]]
- [[mw:Manual:Security]]
- [[mw:Security for developers]]
Besides, per bug 189 comment 42[3] TeX has similar issues and it was possible to make it reasonably safe (indeed the <math> tags, added by [[mw:Extension:Math]], are in use on Wikimedia projects). So, maybe the solution which was applied there could be adapted to this extension too.
On bug 189 comment 82[4], Aryeh Gregor also indicated some ways in which this could be fixed:
But in the same message Graham Percival said that "trying to keep lilypond
within certain CPU-time limits is going to be hard". Would this be solved by
doing what Dscho said at
http://lists.gnu.org/archive/html/lilypond-devel/2009-02/msg00023.html
?You mean:
But we could add a simple timeout that says "if this fails to
terminate in 20 seconds, it errors _out_".I assume that would address all DoS concerns, if memory and disk use are also
limited (either explicitly, or as a practical matter). I'd assume that any
reasonable score could be created in well under 20 seconds. It wouldn't be
ideal, though. It would lead to intermittent failure for input that's close to
the limit, and it might cause occasional failures if the server is under high
load briefly for some reason.For wikitext, which can also be very slow, we have limits like "no more than X
of this instruction" instead, calibrated so as to make DoS unlikely. Likewise,
for ImageMagick I believe we have pixel limits on what images it will try to
resize. This way the software behaves consistently regardless of server load
or other hard-to-control factors, but it's harder to do, of course.After this, was said that "Scheme just should be disabled for the purpose of
the MediaWiki extension."
(http://lists.gnu.org/archive/html/lilypond-devel/2009-04/msg00265.html). How
much of the issues would be solved with this?I'd assume that disabling Scheme would be necessary, but not sufficient.
After that, on bug 189 comment 87[5], Tim said that this approach "sounds like an overkill".
[1]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c37
[2]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c105
[3]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c42
[4]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c82
[5]https://bugzilla.wikimedia.org/show_bug.cgi?id=189#c87
Version: unspecified
Severity: major