Re: weblily: security risk

2010-03-12 Thread Caio Barros
2010/3/12 Tim McNamara > > On Mar 11, 2010, at 6:17 AM, Weblily wrote: > > PS: I am currently preparing an article about weblily.net for the >> LilyPond Report. Maybe this can be a starting point for discussing ideas >> about how weblily.net might become a useful tool for the LilyPond >> communi

Re: weblily: security risk

2010-03-12 Thread Tim McNamara
On Mar 11, 2010, at 6:17 AM, Weblily wrote: PS: I am currently preparing an article about weblily.net for the LilyPond Report. Maybe this can be a starting point for discussing ideas about how weblily.net might become a useful tool for the LilyPond community. One thing that springs to mi

Re: weblily: security risk

2010-03-12 Thread Weblily
Hi Graham, thank your for sharing your thoughts about weblily.net. Of cource, security is a concern I have on my mind and I'd be happy to get into discussion with you and other knowledgable people on security issues. And I will do my very best notto fall prey to all those evil people out ther

Re: weblily: security risk

2010-03-11 Thread Han-Wen Nienhuys
I have poked around a bit, and could not find obvious holes, but you are exposing the unix system, so it is a bit scary. For example, if there are local exploits in the kernel, this system makes it a remote explote for weblily,and the fact that uname is available (telling me you are on 2.6.31.ec2.

Re: weblily: security risk

2010-03-11 Thread Bertalan Fodor (LilyPondTool)
Note that there are existing effort on creating a service that can be used to render lilypond scores in Google Wave or in any web application. You can get its code at http://code.google.com/p/lilypondy/source/browse/#svn/trunk/lilywaveservlet You can see so

Re: weblily: security risk

2010-03-10 Thread Graham Percival
I apologize for this email; I jumped to a false conclusion and made a baseless accusation. I now have no reason to believe that weblily poses a risk. I'm sorry. - Graham Percival On Wed, Mar 10, 2010 at 08:21:24PM +, Graham Percival wrote: > Mr. Weblily, > > I like your enthusiasm with yo

Re: weblily: security risk

2010-03-10 Thread Graham Percival
I admit that I only tested getcwd, but doesn't a jail normally report the main dir as / rather than /home/lily ? ... hmm, ok, apparently not. Ok, it might be safe after all. At least, my earlier investigations were flawed, and I'm not keen to continue snooping around. - Graham On Wed, Mar 10,

Re: weblily: security risk

2010-03-10 Thread Han-Wen Nienhuys
this is what weblily wrote to me a couple of weeks ago. ** Hi Han-Wen, I've continued to work on weblily.net. Now it looks to me almost like something useful. Of cource, I've taken your advice and now LilyPond is running in a jail. Quite cool: I modified the notation reference: When you click on

weblily: security risk

2010-03-10 Thread Graham Percival
Mr. Weblily, I like your enthusiasm with your weblily project, but for Mao's sake please learn something about computer security. The current website is completely insecure. This is not a theoretical concern. It would take me approximately two minutes to delete everything in your /home/lily/ di