diff --git a/Documentation/en/contributor/lsr-work.itexi b/Documentation/en/contributor/lsr-work.itexi index f2b92ff6568c9aa52ce23f00350aadc34f86868d..d81047ca412944ad688d003cc47517eceb591190 100644 --- a/Documentation/en/contributor/lsr-work.itexi +++ b/Documentation/en/contributor/lsr-work.itexi @@ -219,40 +219,6 @@ this do scripts/auxiliar/makelsr.py --help @end smallexample -@item -Follow the instructions printed on the console to manually check for -unsafe files. These are: - -@example -Unsafe files printed in lsr-unsafe.txt: CHECK MANUALLY! - git add Documentation/snippets/*.ly - xargs git diff HEAD < lsr-unsafe.txt -@end example - -First, it's important to check for any added files and add them to -the files git is tracking. Run @code{git status} and look -carefully to see if files have been added. If so, add them with -@code{git add}. - -As the console says, @command{makelsr} creates a list of possibly -unsafe files in @file{lsr-unsafe.txt} by running @code{lilypond} -against each snippet using the @code{-dsafe} switch. This list can be -quite long. However, by using the command @code{xargs git diff HEAD < -lsr-unsafe.txt} git will take that list and check whether any of the -snippets are different from the snippet already in master. If any is -different it must be checked manually VERY CAREFULLY. - -@warning{Somebody could sneak a @code{#'(system "rm -rf /")} -command into our source tree if you do not do this! Take this -step @strong{VERY SERIOUSLY}.} - -If there is any doubt about any of the files, you are strongly -advised to submit a merge request to get review. - -@item -If a review is not needed, merge to @code{master} after the changes -passed automatic testing. - @end enumerate Note that whenever there is a snippet in @@ -510,4 +476,3 @@ done Output from LilyPond is in @file{filename.txt} and convert-ly in @file{filename.con.txt}. - diff --git a/Documentation/en/contributor/programming-work.itexi b/Documentation/en/contributor/programming-work.itexi index 200acc1db08c2ab2654308356a5f45e0f92eedf1..689415ff63b9530872f878f5ec3d848d1eebf8a6 100644 --- a/Documentation/en/contributor/programming-work.itexi +++ b/Documentation/en/contributor/programming-work.itexi @@ -453,8 +453,7 @@ syn keyword schemeSyntax define-method define-class " Additional LilyPond-specific 'forms' syn keyword schemeSyntax define-markup-command define-markup-list-command -syn keyword schemeSyntax define-safe-public define-music-function -syn keyword schemeSyntax def-grace-function +syn keyword schemeSyntax define-music-function def-grace-function " All of the above should influence indenting too setlocal lw+=define-public,define*-public @@ -464,8 +463,7 @@ setlocal lw+=defmacro-public,defmacro*-public setlocal lw+=use-modules,define-module setlocal lw+=define-method,define-class setlocal lw+=define-markup-command,define-markup-list-command -setlocal lw+=define-safe-public,define-music-function -setlocal lw+=def-grace-function +setlocal lw+=define-music-function,def-grace-function " These forms should not influence indenting setlocal lw-=if diff --git a/Documentation/en/extending/scheme-tutorial.itely b/Documentation/en/extending/scheme-tutorial.itely index b779a6359a7dde0f025766c1bd69739a5fe3b38c..5d0570f4c0d6cf5c60faeb6b2f52d45d36ac7e85 100644 --- a/Documentation/en/extending/scheme-tutorial.itely +++ b/Documentation/en/extending/scheme-tutorial.itely @@ -921,11 +921,6 @@ If you need it to be executed at a later point of time, check out @{ c'4 @} @end example -@knownissues - -Mixing Scheme and LilyPond variables is not possible with the -@option{--safe} option. - @node Object properties @subsection Object properties diff --git a/Documentation/en/usage/running.itely b/Documentation/en/usage/running.itely index 6ef0666e4fba14fde530b3d8121a166c91dbf0f5..a621edb6959be5b5826934a0f9468b89144282c9 100644 --- a/Documentation/en/usage/running.itely +++ b/Documentation/en/usage/running.itely @@ -289,18 +289,31 @@ path.} Run @command{lilypond} in a chroot jail. -The @option{--jail} option provides a more flexible alternative to -@option{-dsafe}, when LilyPond formatting is being provided via a web -server, or whenever LilyPond executes commands sent by external sources -(see @ref{Advanced command line options for LilyPond}). - -It works by changing the root of @command{lilypond} to @var{jail} just -before starting the actual compilation process. The user and group are -then changed to match those provided, and the current directory is -changed to @var{dir}. This setup guarantees that it is not possible (at -least in theory) to escape from the jail. Note that for @option{--jail} -to work, @command{lilypond} must be run as root, which is usually -accomplished in a safe way using @command{sudo}. +The @option{--jail} option can be used for security when LilyPond +formatting is being provided via a web server, or whenever LilyPond executes +commands sent by external sources (see @ref{Advanced command +line options for LilyPond}). Because LilyPond provides the ability +to run Guile programs, it is essential in such scenarios to run it +in a sandboxed way so that the file being compiled does not wreak +havoc on the system, for example with + +@example +% too dangerous to write correctly +#(s ystem "rm -rf /") +% malicious but not destructive +@{ c4^$(ly:gulp-file "/etc/passwd") @} +@end example + +@option{--jail} is one way to achieve sandboxing. Another one is +running LilyPond in a Docker container. + +The @option{--jail} option works by changing the root of @command{lilypond} +to @var{jail} just before starting the actual compilation process. +The user and group are then changed to match those provided, and the +current directory is changed to @var{dir}. This setup guarantees that +it is not possible (at least in theory) to escape from the jail. +Note that for @option{--jail} to work, @command{lilypond} must be run +as root, which is usually accomplished in a safe way using @command{sudo}. Setting up a jail can be a relatively complex matter, as we must be sure that LilyPond is able to find whatever it needs to compile the source @@ -809,43 +822,6 @@ Default: @code{#t}. Set resolution for generating @code{PNG} pixmaps to @var{num} dpi. Default: @code{101}. -@item @code{safe} @var{bool} -If @var{bool} is @code{#t}, do not trust the @file{.ly} input. -Default: @code{#f}. - -When LilyPond formatting is available through a web server, either -the @code{-dsafe} or the @option{--jail} option @b{MUST} be passed. -The @code{-dsafe} option prevents inline Scheme code from wreaking -havoc, e.g., - -@example -% too dangerous to write correctly -#(s ystem "rm -rf /") -% malicious but not destructive -@{ c4^$(ly:gulp-file "/etc/passwd") @} -@end example - -The @option{-dsafe} option works by evaluating in-line Scheme -expressions in a special safe module. This is derived from GUILE's -@file{safe-r5rs} module, but also adds a number of functions of the -LilyPond API which are listed in @file{scm/safe-lily.scm}. - -In addition, safe mode disallows @code{\include} directives and -disables the use of backslashes in @TeX{} strings. It is also not -possible to import LilyPond variables into Scheme while in safe mode. - -Option @option{-dsafe} does @emph{not} detect resource overuse, so it is still -possible to make the program hang indefinitely, for example by feeding -cyclic data structures into the backend. Therefore, if using LilyPond -on a publicly accessible webserver, the process should be limited in -both CPU and memory usage. - -Safe mode will prevent many useful LilyPond snippets from being -compiled. - -Option @option{--jail} is an even more secure alternative, but requires -more work to set up. See @ref{Basic command line options for LilyPond}. - @item @code{separate-log-files} @var{bool} For input files @file{file1.ly}, @file{file2.ly}, @dots{}, output log data to files @file{file1.log}, @file{file2.log}, @dots{}, if diff --git a/input/regression/safe.ly b/input/regression/safe.ly deleted file mode 100644 index 33fdfe584cc5bba1442be13027c27706b5e50634..0000000000000000000000000000000000000000 --- a/input/regression/safe.ly +++ /dev/null @@ -1,20 +0,0 @@ -\version "2.16.0" - -expect-error = ##t - -% Ugh - this affects other files too. -#(ly:set-option 'protected-scheme-parsing #t) -#(ly:set-option 'safe #t) - -force-finish = ##t - -\header{ - texidoc = "This should not survive lilypond --safe-mode" - - #(open-file "w") -} - - -#(open-file "/tmp/safe-guile.scm") - -\include "this-should-fail.ly" diff --git a/lily/book.cc b/lily/book.cc index 3fe0108ec1a3dcb51abc2b0721ab8fbe4eb4a86d..a1a3aa4a1cb90a55ad1bbb07269f54842877daf6 100644 --- a/lily/book.cc +++ b/lily/book.cc @@ -63,7 +63,7 @@ Book::Book (Book const &s) input_location_ = s.origin ()->smobbed_copy (); - header_ = ly_make_module (false); + header_ = ly_make_module (); if (ly_is_module (s.header_)) ly_module_copy (header_, s.header_); SCM *t = &scores_; @@ -134,7 +134,7 @@ Book::set_parent (Book *parent) /* Copy the header block of the parent */ if (ly_is_module (parent->header_)) { - SCM tmp_header = ly_make_module (false); + SCM tmp_header = ly_make_module (); ly_module_copy (tmp_header, parent->header_); if (ly_is_module (header_)) ly_module_copy (tmp_header, header_); diff --git a/lily/global-vars.cc b/lily/global-vars.cc index 17d3fd3eba225257603dcf8f2bf945d406f8cdfa..6db22b210ec06c78d0d5ab0d83d271fb24c83304 100644 --- a/lily/global-vars.cc +++ b/lily/global-vars.cc @@ -38,9 +38,6 @@ vector output_formats_global; /* Current output name. */ string output_name_global; -/* Run in safe mode? */ -bool be_safe_global = false; - /* Scheme code to execute before parsing, after .scm init. This is where -e arguments are appended to. */ string init_scheme_code_global; diff --git a/lily/include/includable-lexer.hh b/lily/include/includable-lexer.hh index 34928359b05b5593692e4956a7808f21fd2dea16..5c4e3e16d12a6de4496de3c0c3572926a48b4b21 100644 --- a/lily/include/includable-lexer.hh +++ b/lily/include/includable-lexer.hh @@ -48,7 +48,7 @@ public: std::vector file_name_strings_; Source_file *get_source_file () const; - virtual void new_input (const std::string &s, Sources *); + void new_input (const std::string &s, Sources *); void new_input (const std::string &name, std::string data, Sources *); diff --git a/lily/include/lily-imports.hh b/lily/include/lily-imports.hh index 3771b5c4d1b527aabd312d6f5ccbfb9f961fef35..e256b7ec2318f40b5431c106a68e80fabc39814e 100644 --- a/lily/include/lily-imports.hh +++ b/lily/include/lily-imports.hh @@ -123,7 +123,6 @@ extern Variable ly_make_event_class; extern Variable ly_music_p; extern Variable make_concat_markup; extern Variable make_music; -extern Variable make_safe_lilypond_module; extern Variable make_span_event; extern Variable markup_p; extern Variable markup_command_signature; diff --git a/lily/include/lily-lexer.hh b/lily/include/lily-lexer.hh index 57bfca75ec36999efa93733edcd28e897cc843f9..9a1cbe2fd18d381e25a30cee8111fb74404e466c 100644 --- a/lily/include/lily-lexer.hh +++ b/lily/include/lily-lexer.hh @@ -90,9 +90,6 @@ public: void start_main_input (); - void new_input (const std::string &s, Sources *) override; - using Includable_lexer::new_input; - bool top_input () { return include_stack_.size () < 2; } SCM lookup_identifier_symbol (SCM s); void push_extra_token (Input const &where, diff --git a/lily/include/lily-parser.hh b/lily/include/lily-parser.hh index 57ce56e47455219ec77da9adc5f7401d269489e2..c9db007d47503f2dcfce27f46a3e9527b06823c5 100644 --- a/lily/include/lily-parser.hh +++ b/lily/include/lily-parser.hh @@ -68,8 +68,6 @@ public: // The following is called as yyerror static void parser_error (Input const *i, Lily_parser *parser, SCM *, const std::string &s); void set_yydebug (bool); - - SCM make_scope () const; }; Output_def *get_layout (Lily_parser *parser); diff --git a/lily/include/ly-module.hh b/lily/include/ly-module.hh index 57919a6b477a8b5aa4362c2c6870b3947612fbab..2a8f5b82c1894049210aa7eb2c6ae577a62c9e4d 100644 --- a/lily/include/ly-module.hh +++ b/lily/include/ly-module.hh @@ -21,7 +21,7 @@ #include "lily-guile.hh" -SCM ly_make_module (bool safe); +SCM ly_make_module (); SCM ly_module_copy (SCM dest, SCM src); SCM ly_module_2_alist (SCM mod); SCM ly_modules_lookup (SCM modules, SCM sym, SCM); diff --git a/lily/include/main.hh b/lily/include/main.hh index a8ca5b28ae1a7567a186ad0cf72aae68131f5019..ac0d6bf8b338f921ce17448db11286c163c124e9 100644 --- a/lily/include/main.hh +++ b/lily/include/main.hh @@ -29,7 +29,6 @@ extern std::string init_name_global; /* options */ extern std::vector dump_header_fieldnames_global; extern std::string output_name_global; -extern bool be_safe_global; extern bool do_internal_type_checking_global; extern std::string lilypond_datadir; extern std::string lilypond_libdir; diff --git a/lily/include/parse-scm.hh b/lily/include/parse-scm.hh index 3b3e9079c0e0692ec17cba5b962fdfe89a2e22b5..b1a72f974cce54d82b93164d0848ec4b984582bb 100644 --- a/lily/include/parse-scm.hh +++ b/lily/include/parse-scm.hh @@ -26,7 +26,7 @@ extern bool parse_protect_global; extern bool parsed_objects_should_be_dead; -SCM evaluate_embedded_scheme (SCM form, Input const &start, bool safe, Lily_parser *parser); -SCM parse_embedded_scheme (const Input &start, bool safe, Lily_parser *parser, Input *parsed_output); +SCM evaluate_embedded_scheme (SCM form, Input const &start, Lily_parser *parser); +SCM parse_embedded_scheme (const Input &start, Lily_parser *parser, Input *parsed_output); #endif /* PARSE_SCM_HH */ diff --git a/lily/lexer.ll b/lily/lexer.ll index 952359f88ddff2835a33c60be5adc8ecb6cfa1c6..9284472c6517e7b5958224f30da8c19449b92c0b 100644 --- a/lily/lexer.ll +++ b/lily/lexer.ll @@ -361,7 +361,7 @@ FIG_ALT_EXPR {WHITE}*{FIG_ALT_SYMB}({FIG_ALT_SYMB}|{WHITE})* start.step_forward (); Input parsed; - SCM sval = parse_embedded_scheme (start, be_safe_global && is_main_input_, parser_, &parsed); + SCM sval = parse_embedded_scheme (start, parser_, &parsed); sval = eval_scm (sval, start); skip_chars (parsed.size ()); @@ -410,7 +410,7 @@ FIG_ALT_EXPR {WHITE}*{FIG_ALT_SYMB}({FIG_ALT_SYMB}|{WHITE})* Input hi = here_input(); hi.step_forward (); Input parsed; - SCM sval = parse_embedded_scheme (hi, be_safe_global && is_main_input_, parser_, &parsed); + SCM sval = parse_embedded_scheme (hi, parser_, &parsed); if (SCM_UNBNDP (sval)) error_level_ = 1; @@ -426,7 +426,7 @@ FIG_ALT_EXPR {WHITE}*{FIG_ALT_SYMB}({FIG_ALT_SYMB}|{WHITE})* hi.step_forward (); Input parsed; - SCM sval = parse_embedded_scheme (hi, be_safe_global && is_main_input_, parser_, &parsed); + SCM sval = parse_embedded_scheme (hi, parser_, &parsed); skip_chars (parsed.size ()); sval = eval_scm (sval, hi, '$'); @@ -1126,7 +1126,6 @@ Lily_lexer::eval_scm (SCM readerdata, Input location, char extra_token) { sval = evaluate_embedded_scheme (readerdata, location, - be_safe_global && is_main_input_, parser_); } diff --git a/lily/lily-imports.cc b/lily/lily-imports.cc index 04060bdfc569037f5be0893479dc433c69883fde..6d5b11b0f0e2632c06c91e21c3e200de14cac06a 100644 --- a/lily/lily-imports.cc +++ b/lily/lily-imports.cc @@ -113,7 +113,6 @@ Variable ly_make_event_class ("ly:make-event-class"); Variable ly_music_p ("ly:music?"); Variable make_concat_markup ("make-concat-markup"); Variable make_music ("make-music"); -Variable make_safe_lilypond_module ("make-safe-lilypond-module"); Variable make_span_event ("make-span-event"); Variable markup_p ("markup?"); Variable markup_command_signature ("markup-command-signature"); diff --git a/lily/lily-lexer.cc b/lily/lily-lexer.cc index ee1ceb72fe1a5cdea1f9f0b0c28a5e991b10f0c9..3ac98bd18cf8ca32a3f465186151c45e6d0a0540 100644 --- a/lily/lily-lexer.cc +++ b/lily/lily-lexer.cc @@ -126,7 +126,7 @@ Lily_lexer::Lily_lexer (Sources *sources, Lily_parser *parser) if (!keytable_.is_bound ()) keytable_ = make_keytable (); - add_scope (ly_make_module (false)); + add_scope (ly_make_module ()); push_note_state (); chordmodifier_tab_ = scm_make_vector (to_scm (1), SCM_EOL); } @@ -233,18 +233,6 @@ Lily_lexer::start_main_input () ly_string2scm (main_input_name_)); } -void -Lily_lexer::new_input (const string &str, Sources *ss) -{ - if (is_main_input_ && be_safe_global) - { - LexerError (_ ("include files are not allowed in safe mode").c_str ()); - return; - } - - Includable_lexer::new_input (str, ss); -} - // PATH is either a single symbol (or string) or a list of symbols // giving the path to a nested property. A symbol is treated the same // as a list of length 1. diff --git a/lily/lily-parser.cc b/lily/lily-parser.cc index e55216523c462f588a14c9303a33b620ede07570..94d859777bc73af575d993ce8eb9c34583185e22 100644 --- a/lily/lily-parser.cc +++ b/lily/lily-parser.cc @@ -271,10 +271,10 @@ get_header (Lily_parser *parser) { SCM id = parser->lexer_->lookup_identifier_symbol (ly_symbol2scm ("$defaultheader")); if (!ly_is_module (id)) - id = parser->make_scope (); + id = ly_make_module (); else { - SCM nid = parser->make_scope (); + SCM nid = ly_make_module (); ly_module_copy (nid, id); id = nid; } @@ -282,9 +282,3 @@ get_header (Lily_parser *parser) return id; } -SCM -Lily_parser::make_scope () const -{ - SCM module = ly_make_module (be_safe_global); - return module; -} diff --git a/lily/ly-module.cc b/lily/ly-module.cc index 71b420688cce3228421444d1d3a3479a1e80567d..b79b9f7d0688609807c03189e4d6a1b13bc676ba 100644 --- a/lily/ly-module.cc +++ b/lily/ly-module.cc @@ -24,21 +24,12 @@ #include "lily-imports.hh" SCM -ly_make_module (bool safe) +ly_make_module () { - SCM mod = SCM_EOL; - if (!safe) - { - mod = Guile_user::make_module (); - Guile_user::module_export_all_x (mod); - ly_use_module (mod, Guile_user::the_root_module); - ly_use_module (mod, Lily::module); - } - else - { - mod = Lily::make_safe_lilypond_module (); - } - + SCM mod = Guile_user::make_module (); + Guile_user::module_export_all_x (mod); + ly_use_module (mod, Guile_user::the_root_module); + ly_use_module (mod, Lily::module); return mod; } diff --git a/lily/output-def.cc b/lily/output-def.cc index ca5cc16a8ad2acc8ece147db5255dbea6eee0ca9..bb7a9c49101db08de7956ef4f019f7ae2be06e0d 100644 --- a/lily/output-def.cc +++ b/lily/output-def.cc @@ -40,7 +40,7 @@ Output_def::Output_def () smobify_self (); - scope_ = ly_make_module (false); + scope_ = ly_make_module (); } Output_def::Output_def (Output_def const &s) @@ -51,7 +51,7 @@ Output_def::Output_def (Output_def const &s) smobify_self (); input_origin_ = s.input_origin_; - scope_ = ly_make_module (false); + scope_ = ly_make_module (); if (ly_is_module (s.scope_)) ly_module_copy (scope_, s.scope_); } diff --git a/lily/parse-scm.cc b/lily/parse-scm.cc index 93b3ad97d0bb2f18e237fc4bec711d945f8d2f7c..b2ecb9707ece105b403edd721b63292034832100 100644 --- a/lily/parse-scm.cc +++ b/lily/parse-scm.cc @@ -43,11 +43,10 @@ struct Parse_start // Output: full extent of the parsed form. Input parsed_; - bool safe_; Lily_parser *parser_; - Parse_start (SCM form, const Input &start, bool safe, Lily_parser *parser) - : form_ (form), start_ (start), safe_ (safe), parser_ (parser) + Parse_start (SCM form, const Input &start, Lily_parser *parser) + : form_ (form), start_ (start), parser_ (parser) { } @@ -137,9 +136,9 @@ protected_parse_embedded_scheme (Parse_start *ps) // parsed_output to the cover the entire form. parsed_output may not // be null. SCM -parse_embedded_scheme (const Input &start, bool safe, Lily_parser *parser, Input *parsed_output) +parse_embedded_scheme (const Input &start, Lily_parser *parser, Input *parsed_output) { - Parse_start ps (SCM_UNDEFINED, start, safe, parser); + Parse_start ps (SCM_UNDEFINED, start, parser); SCM result = parse_protect_global ? protected_parse_embedded_scheme (&ps) @@ -151,26 +150,11 @@ parse_embedded_scheme (const Input &start, bool safe, Lily_parser *parser, Input // EVALUATION -SCM -evaluate_scheme_form (Parse_start *ps) -{ - if (ps->safe_) - { - static SCM module = SCM_BOOL_F; - if (scm_is_false (module)) - { - module = scm_gc_protect_object (Lily::make_safe_lilypond_module ()); - } - - return scm_eval (ps->form_, module); - } - return scm_primitive_eval (ps->form_); -} - SCM evaluate_scheme_form_void (void *p) { - return evaluate_scheme_form (static_cast (p)); + Parse_start *ps = static_cast (p); + return scm_primitive_eval (ps->form_); } SCM @@ -186,9 +170,9 @@ protected_evaluate_scheme_form (void *ps) } SCM -evaluate_embedded_scheme (SCM form, Input const &start, bool safe, Lily_parser *parser) +evaluate_embedded_scheme (SCM form, Input const &start, Lily_parser *parser) { - Parse_start ps (form, start, safe, parser); + Parse_start ps (form, start, parser); // Establish the quasi-parameter (*location*) by using the location // `start` covering the input of the Scheme form during its diff --git a/lily/parser.yy b/lily/parser.yy index 943af06272ae79ed3d65b8170246c5966fcdf9e6..e15f35527347112525e30021a445c8737dfc8193 100644 --- a/lily/parser.yy +++ b/lily/parser.yy @@ -1132,7 +1132,7 @@ bookpart_body: } else if (ly_is_module ($2)) { Book *book = unsmob ($1); if (!ly_is_module (book->header_)) - book->header_ = ly_make_module (false); + book->header_ = ly_make_module (); ly_module_copy (book->header_, $2); } else if (!scm_is_eq ($2, SCM_UNSPECIFIED)) parser->parser_error (@2, _("bad expression type")); @@ -1141,7 +1141,7 @@ bookpart_body: { Book *book = unsmob ($1); if (!ly_is_module (book->header_)) - book->header_ = ly_make_module (false); + book->header_ = ly_make_module (); parser->lexer_->add_scope (book->header_); } lilypond_header | bookpart_body error { @@ -1238,13 +1238,13 @@ score_items: module = score->get_header (); if (!ly_is_module (module)) { - module = ly_make_module (false); + module = ly_make_module (); score->set_header (module); } } else if (scm_is_pair ($$) && ly_is_module (scm_car ($$))) module = scm_car ($$); else { - module = ly_make_module (false); + module = ly_make_module (); $$ = scm_cons (module, $$); } ly_module_copy (module, $2); @@ -1255,11 +1255,11 @@ score_items: { if (Score *score = unsmob ($1)) { if (!ly_is_module (score->get_header ())) - score->set_header (ly_make_module (false)); + score->set_header (ly_make_module ()); parser->lexer_->add_scope (score->get_header ()); } else { if (!scm_is_pair ($1) || !ly_is_module (scm_car ($1))) - $1 = scm_cons (ly_make_module (false), $1); + $1 = scm_cons (ly_make_module (), $1); parser->lexer_->add_scope (scm_car ($1)); } } lilypond_header diff --git a/lily/program-option-scheme.cc b/lily/program-option-scheme.cc index f3efeb14dc4d2cdb191e8667e1981ce253d58733..570850db23dbc6217e8c682f37ddff9b939b22b8 100644 --- a/lily/program-option-scheme.cc +++ b/lily/program-option-scheme.cc @@ -80,11 +80,6 @@ internal_set_option (SCM var, SCM val) parsed_objects_should_be_dead = valbool; val = val_scm_bool; } - else if (varstr == "safe") - { - be_safe_global = valbool; - val = val_scm_bool; - } else if (varstr == "strict-infinity-checking") { strict_infinity_checking = valbool; diff --git a/lily/score.cc b/lily/score.cc index b2b5f6b0092c48fe42e0d302159c4e3d5a62cc1e..104ceaf3e817b8c63280b99d61b6ce7eaec0d6d3 100644 --- a/lily/score.cc +++ b/lily/score.cc @@ -93,7 +93,7 @@ Score::Score (Score const &s) defs_.push_back (copy); copy->unprotect (); } - header_ = ly_make_module (false); + header_ = ly_make_module (); if (ly_is_module (s.header_)) ly_module_copy (header_, s.header_); } diff --git a/python/book_snippets.py b/python/book_snippets.py index f8f938a22a325a6bf3810a9931f3220c4e45093e..8c97f74a18e6ab4a2c7c60de0aa5b9287192cdb8 100644 --- a/python/book_snippets.py +++ b/python/book_snippets.py @@ -202,7 +202,6 @@ PREAMBLE_LY = r'''%%%% Generated by lilypond-book %(layout_string)s } -%(safe_mode_string)s ''' @@ -634,11 +633,6 @@ class LilypondSnippet (Snippet): else: padding_mm_string = "" - if self.global_options.safe_mode: - safe_mode_string = "#(ly:set-option 'safe #t)" - else: - safe_mode_string = "" - d = globals().copy() d.update(locals()) d.update(self.global_options.information) diff --git a/scm/chord-entry.scm b/scm/chord-entry.scm index 7567754f524cd9ea8e595046eda2b3a8b9e4c9de..e7c9d7568478c40bd61315d5dd613402d8b637dd 100644 --- a/scm/chord-entry.scm +++ b/scm/chord-entry.scm @@ -15,7 +15,7 @@ ;;;; You should have received a copy of the GNU General Public License ;;;; along with LilyPond. If not, see . -(use-modules (lily safe-utility-defs) (ice-9 receive)) +(use-modules (ice-9 receive)) (define-public (construct-chord-elements root duration modifications) "Build a chord on @var{root} using modifiers in @var{modifications}. @@ -248,7 +248,7 @@ non-inverted note." (define (sus-modifier pitches) (remove-step (pitch-step (ly:make-pitch 0 2 0)) pitches)) -(define-safe-public default-chord-modifier-list +(define-public default-chord-modifier-list `((m . ,minor-modifier) (min . ,minor-modifier) (aug . , aug-modifier) diff --git a/scm/chord-name.scm b/scm/chord-name.scm index 65dd53452236a940f4f703a815e96f16599c8a40..fe8bb122891e1b5bc504fee2d638fcf79982bc3b 100644 --- a/scm/chord-name.scm +++ b/scm/chord-name.scm @@ -117,7 +117,7 @@ note names are capitalized." (define (pitch-alteration-semitones pitch) (inexact->exact (round (* (ly:pitch-alteration pitch) 2)))) -(define-safe-public ((chord-name->german-markup B-instead-of-Bb) +(define-public ((chord-name->german-markup B-instead-of-Bb) pitch lowercase?) "Return pitch markup for PITCH, using german note names. If B-instead-of-Bb is set to #t real german names are returned. @@ -137,7 +137,7 @@ note names are capitalized." lowercase?)) (accidental->markup (/ (cdr n-a) 2)))))) -(define-safe-public (note-name->german-markup pitch lowercase?) +(define-public (note-name->german-markup pitch lowercase?) ;; TODO: rewrite using note-name->lily-string. ;; FIXME: lowercase? is ignored. (let* ((name (ly:pitch-notename pitch)) @@ -169,7 +169,7 @@ pitch@tie{}D instead of `re'." ;; fixme we should standardize on omit-root (or the other one.) ;; perhaps the default should also be reversed --hwn -(define-safe-public (sequential-music-to-chord-exceptions seq . rest) +(define-public (sequential-music-to-chord-exceptions seq . rest) "Transform sequential music @var{seq} of type @example diff --git a/scm/color.scm b/scm/color.scm index aa91b1b576f9fc46e5d689bdf4e5b0f97f322ff9..922f32f083573258be9c72e88163c73f9e857cd3 100644 --- a/scm/color.scm +++ b/scm/color.scm @@ -752,6 +752,6 @@ (hashq-create-handle! color-table arg-sym temp) temp)))))) -(define-safe-public x11-color (make-color-handler x11-color-list)) -(define-safe-public css-color (make-color-handler css-color-list)) -(define-safe-public universal-color (make-color-handler universal-color-list)) +(define-public x11-color (make-color-handler x11-color-list)) +(define-public css-color (make-color-handler css-color-list)) +(define-public universal-color (make-color-handler universal-color-list)) diff --git a/scm/define-markup-commands.scm b/scm/define-markup-commands.scm index e573e11219eefbdbf552eb4f42bc2e9b7f478851..ca1986d424f4e4f90a436a271f48e2c5a2484782 100644 --- a/scm/define-markup-commands.scm +++ b/scm/define-markup-commands.scm @@ -1186,10 +1186,7 @@ Inline an EPS image. The image is scaled along @var{axis} to } } @end lilypond" - (if (ly:get-option 'safe) - (interpret-markup layout props "not allowed in safe") - (eps-file->stencil axis size file-name) - )) + (eps-file->stencil axis size file-name)) (define-markup-command (postscript layout props str) (string?) @@ -2919,17 +2916,13 @@ of its own. ;; files ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -(define (safe-file-content name) - (if (ly:get-option 'safe) - "verbatim-file disabled in safe mode" - (begin - (ly:note-extra-source-file name) - (ly:gulp-file name)))) - (define-markup-command (verbatim-file layout props name) (string?) #:category other - #:as-string (safe-file-content name) + #:as-string + (begin + (ly:note-extra-source-file name) + (ly:gulp-file name)) "Read the contents of file @var{name}, and include it verbatim. @lilypond[verbatim,quote] @@ -2937,10 +2930,11 @@ of its own. \\verbatim-file #\"en/included/simple.ly\" } @end lilypond" + (ly:note-extra-source-file name) (interpret-markup layout props (make-typewriter-markup (make-column-markup - (string-split (safe-file-content name) + (string-split (ly:gulp-file name) #\nl))))) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/scm/define-music-types.scm b/scm/define-music-types.scm index 383b51b3093129aa5ddb46069fe0d9c7feb60b15..ff96e8a579259cbbba71bdc92dbf351cd7749384 100644 --- a/scm/define-music-types.scm +++ b/scm/define-music-types.scm @@ -16,8 +16,6 @@ ;;;; You should have received a copy of the GNU General Public License ;;;; along with LilyPond. If not, see . -(use-modules (lily safe-utility-defs)) - ;; TODO: should link back into user manual. (define-public music-descriptions @@ -925,7 +923,7 @@ brackets start and stop.") (cons (car x) lst))) music-descriptions)) -(define-safe-public (make-music name . music-properties) +(define-public (make-music name . music-properties) "Create a music object of given name, and set its properties according to @code{music-properties}, a list of alternating property symbols and values. Example: diff --git a/scm/define-stencil-commands.scm b/scm/define-stencil-commands.scm index bf619443253ed4ed51a686539e47de06839a14d3..261e81aca44596fc85caea352fc7dc5c6d5fc29e 100644 --- a/scm/define-stencil-commands.scm +++ b/scm/define-stencil-commands.scm @@ -21,42 +21,37 @@ (define-public (ly:all-stencil-commands) "Return the list of stencil commands that can be defined in the output modules (in files @file{output-*.scm})." - (let* - ((commands '(blank - char - circle - dashed-line - draw-line - ellipse - end-group-node - eps-file - glyph-string - grob-cause - named-glyph - no-origin - page-link - path - partial-ellipse - placebox - polygon - resetcolor - resetrotation - resetscale - round-filled-box - setcolor - setrotation - setscale - start-group-node - text - unknown - url-link - utf-8-string - ))) - - (if (ly:get-option 'safe) - commands - (append '(embedded-ps embedded-svg) - commands)) + '(blank + char + circle + dashed-line + draw-line + ellipse + embedded-ps + embedded-svg + end-group-node + eps-file + glyph-string + grob-cause + named-glyph + no-origin + page-link + path + partial-ellipse + placebox + polygon + resetcolor + resetrotation + resetscale + round-filled-box + setcolor + setrotation + setscale + start-group-node + text + unknown + url-link + utf-8-string )) ;; TODO: diff --git a/scm/lily-library.scm b/scm/lily-library.scm index 05feffa6fcc73230734bcaa4af68727d73e85c12..f82bef3f3400848aa46dfe0c910c583e904a8872 100644 --- a/scm/lily-library.scm +++ b/scm/lily-library.scm @@ -20,38 +20,37 @@ ;; for take, drop, take-while, list-index, and find-tail: (srfi srfi-1) (ice-9 pretty-print) - (ice-9 match) - (lily safe-utility-defs)) + (ice-9 match)) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; constants. -(define-safe-public X 0) -(define-safe-public Y 1) -(define-safe-public START -1) -(define-safe-public STOP 1) -(define-safe-public LEFT -1) -(define-safe-public RIGHT 1) -(define-safe-public UP 1) -(define-safe-public DOWN -1) -(define-safe-public CENTER 0) - -(define-safe-public DOUBLE-FLAT -1) -(define-safe-public THREE-Q-FLAT -3/4) -(define-safe-public FLAT -1/2) -(define-safe-public SEMI-FLAT -1/4) -(define-safe-public NATURAL 0) -(define-safe-public SEMI-SHARP 1/4) -(define-safe-public SHARP 1/2) -(define-safe-public THREE-Q-SHARP 3/4) -(define-safe-public DOUBLE-SHARP 1) -(define-safe-public SEMI-TONE 1/2) -(define-safe-public FIVE-HALF-FLAT -5/2) -(define-safe-public SEVEN-HALF-FLAT -7/2) -(define-safe-public FIVE-HALF-SHARP 5/2) -(define-safe-public SEVEN-HALF-SHARP 7/2) - -(define-safe-public INFINITY-INT 1000000) +(define-public X 0) +(define-public Y 1) +(define-public START -1) +(define-public STOP 1) +(define-public LEFT -1) +(define-public RIGHT 1) +(define-public UP 1) +(define-public DOWN -1) +(define-public CENTER 0) + +(define-public DOUBLE-FLAT -1) +(define-public THREE-Q-FLAT -3/4) +(define-public FLAT -1/2) +(define-public SEMI-FLAT -1/4) +(define-public NATURAL 0) +(define-public SEMI-SHARP 1/4) +(define-public SHARP 1/2) +(define-public THREE-Q-SHARP 3/4) +(define-public DOUBLE-SHARP 1) +(define-public SEMI-TONE 1/2) +(define-public FIVE-HALF-FLAT -5/2) +(define-public SEVEN-HALF-FLAT -7/2) +(define-public FIVE-HALF-SHARP 5/2) +(define-public SEVEN-HALF-SHARP 7/2) + +(define-public INFINITY-INT 1000000) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; moments @@ -509,7 +508,7 @@ in list @var{keys}. Example: ;; created with alist->hash-table: it would be an ugly backwards compatibility ;; leaving users with files that compile but strangely give wrong results. So ;; we're stuck with a function that will be confusing forever. --JeanAS -(define-safe-public (alist->hash-table lst) +(define-public (alist->hash-table lst) "Convert alist @var{lst} to a table. @strong{Warning:} The resulting hash table is hashed by identity. diff --git a/scm/lily.scm b/scm/lily.scm index e193a43d2e4448ea3f206861ff29391ad6c18776..84aa129b1816734d3f95edc5e4617e46cb832e1f 100644 --- a/scm/lily.scm +++ b/scm/lily.scm @@ -92,12 +92,6 @@ ;; LilyPond. It is not proof against in-place modification of data ;; structures (as they are just reinitialized with the original ;; identities), and it is not proof against tampering with internals. -;; -;; As a consequence, session management is not sufficient for -;; separating multiple independent .ly files in "-dsafe" mode: you -;; should give each its own LilyPond process when reliable separation -;; is mandatory. -;; ;; For standard tasks and programming practices, multiple sessions in ;; the same LilyPond job should work reasonably independently and ;; without "bleed-over" while still loading and compiling the @@ -336,7 +330,8 @@ the included file relative to the current file\ "Set resolution for generating PNG pixmaps to given value (in dpi).") (safe #f - "Run in safer mode.") + "Safe mode has been removed; using this option results +in an error.") (separate-log-files #f "For input files `FILE1.ly', `FILE2.ly', ... output log data to files `FILE1.log', @@ -421,7 +416,6 @@ floating point exceptions.") (debug-set! stack 0) (use-modules (ice-9 regex) - (ice-9 safe) ((ice-9 format) #:select ((format . ice9-format))) (ice-9 rdelim) (ice-9 optargs) @@ -430,8 +424,7 @@ floating point exceptions.") (srfi srfi-1) (srfi srfi-13) (srfi srfi-14) - (lily clip-region) - (lily safe-utility-defs)) + (lily clip-region)) (define format simple-format) @@ -493,7 +486,7 @@ floating point exceptions.") ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -(define-safe-public (lilypond-version) +(define-public (lilypond-version) (if (ly:get-option 'deterministic) "0.0.0" (string-join @@ -577,18 +570,14 @@ floating point exceptions.") "paper" "backend-library" "color")) -;; - Files to be loaded last -(define init-scheme-files-tail - ;; - must be after everything has been defined - '("safe-lily")) + ;; ;; Now construct the load list ;; (define init-scheme-files (append init-scheme-files-lib init-scheme-files-used - init-scheme-files-body - init-scheme-files-tail)) + init-scheme-files-body)) (for-each ly:load init-scheme-files) @@ -792,6 +781,16 @@ PIDs or the number of the process." (define-public (lilypond-main files) "Entry point for LilyPond." + ;; Keep this as a fatal error: we don't want someone to + ;; turn a vulnerable system into a completely unsafe one + ;; during a careless upgrade to LilyPond >= 2.23.12. + (when (ly:get-option 'safe) + (ly:error +"Due to security vulnerabilities deemed unfixable +by the developers, LilyPond's safe mode was removed in +version 2.23.12 in order not to provide a false sense of +security. If you need to compile an untrusted .ly file, please +use an external tool to run LilyPond in a sandbox.")) (eval-string (ly:command-line-code)) (if (ly:get-option 'help) (begin (ly:option-usage (current-output-port) #f) diff --git a/scm/music-functions.scm b/scm/music-functions.scm index 91bbbbb8df8fb5bf4e26faa92b962ba0b28fcfa6..ed6672a17efba3309d0a7d9ddd59ced98115ea10 100644 --- a/scm/music-functions.scm +++ b/scm/music-functions.scm @@ -16,18 +16,16 @@ ;;;; You should have received a copy of the GNU General Public License ;;;; along with LilyPond. If not, see . -(use-modules (lily safe-utility-defs)) - (use-modules (ice-9 optargs) (ice-9 match) (srfi srfi-11)) -(define-safe-public (music-is-of-type? mus type) +(define-public (music-is-of-type? mus type) "Does @var{mus} belong to the music class @var{type}?" (memq type (ly:music-property mus 'types))) (eval-when (expand load eval) - (define-safe-public (music-type-predicate types) + (define-public (music-type-predicate types) "Return a predicate function that can be used for checking music to have one of the types listed in @var{types}." (if (cheap-list? types) @@ -265,7 +263,7 @@ The number of dots in the shifted music may not be less than zero." (music-map (lambda (x) (shift-one-duration-log x shift dot)) music)) -(define-safe-public (volta-spec-music number-list music) +(define-public (volta-spec-music number-list music) "Add \\volta @var{number-list} to @var{music}." (make-music 'VoltaSpeccedMusic 'element music @@ -428,7 +426,7 @@ If @var{types} is an empty list, @code{repeated-music} is taken, unfolding all." ;; Can't use define* behavior since Guile-1.8 has a bug when combining ;; #:optional with #:key and leaving optional args off. -(define-safe-public (check-grob-path path . rest) +(define-public (check-grob-path path . rest) "Check a grob path specification @var{path}, a symbol list (or a single symbol), for validity and possibly complete it. Returns the completed specification, or @code{#f} if invalid, optionally using @@ -505,7 +503,7 @@ respectively." location) #f))))) -(define-safe-public (check-context-path path #:optional location) +(define*-public (check-context-path path #:optional location) "Check a context property path specification @var{path}, a symbol list (or a single symbol), for validity and possibly complete it. Returns the completed specification, or @code{#f} when rising an @@ -531,7 +529,7 @@ error (using optionally @var{location})." ;; Cannot use #:optional and #:key at the same time because of Guile ;; bug in version 1.8 -(define-safe-public (check-music-path path . rest) +(define-public (check-music-path path . rest) "Check a music property path specification @var{path}, a symbol list (or a single symbol), for validity and possibly complete it. Returns the completed specification, or @code{#f} when rising an @@ -629,12 +627,12 @@ making it possible to @code{\\revert} to any previous value afterwards." ;; Getting a unique context id name (define-session unique-counter -1) -(define-safe-public (get-next-unique-voice-name) +(define-public (get-next-unique-voice-name) (set! unique-counter (1+ unique-counter)) (format #f "uniqueContext~s" unique-counter)) -(define-safe-public (make-voice-props-set n) +(define-public (make-voice-props-set n) (make-sequential-music (append (map (lambda (x) (make-grob-property-set x 'direction @@ -644,7 +642,7 @@ making it possible to @code{\\revert} to any previous value afterwards." (make-property-set 'graceSettings general-grace-settings) (make-grob-property-set 'NoteColumn 'horizontal-shift (quotient n 2)))))) -(define-safe-public (make-voice-props-override n) +(define-public (make-voice-props-override n) (make-sequential-music (append (map (lambda (x) (make-grob-property-override x 'direction @@ -654,7 +652,7 @@ making it possible to @code{\\revert} to any previous value afterwards." (make-property-set 'graceSettings general-grace-settings) (make-grob-property-override 'NoteColumn 'horizontal-shift (quotient n 2)))))) -(define-safe-public (make-voice-props-revert) +(define-public (make-voice-props-revert) (make-sequential-music (append (map (lambda (x) (make-grob-property-revert x 'direction)) @@ -663,7 +661,7 @@ making it possible to @code{\\revert} to any previous value afterwards." (make-grob-property-revert 'NoteColumn 'horizontal-shift))))) -(define-safe-public (context-spec-music m context #:optional id mods) +(define*-public (context-spec-music m context #:optional id mods) "Add @code{\\context @var{context} = @var{id} \\with @var{mods}} to @var{m}." (let ((cm (make-music 'ContextSpeccedMusic 'element m @@ -677,7 +675,7 @@ making it possible to @code{\\revert} to any previous value afterwards." mods))) cm)) -(define-safe-public (descend-to-context m context #:optional id mods) +(define*-public (descend-to-context m context #:optional id mods) "Like @code{context-spec-music}, but only descending." (let ((cm (context-spec-music m context id mods))) (ly:music-set-property! cm 'search-direction DOWN) @@ -699,7 +697,7 @@ making it possible to @code{\\revert} to any previous value afterwards." (make-music 'SimultaneousMusic 'elements elts)) -(define-safe-public (make-event-chord elts) +(define-public (make-event-chord elts) (make-music 'EventChord 'elements elts)) @@ -728,7 +726,7 @@ making it possible to @code{\\revert} to any previous value afterwards." (make-music 'PropertyUnset 'symbol sym)) -(define-safe-public (make-articulation name . properties) +(define-public (make-articulation name . properties) ;; ----------------------------------------------------------------- ;; obsoletion handling, may be removed at some point (e.g., for 2.26) (if (string? name) @@ -747,7 +745,7 @@ by (make-articulation '~a ...) or run convert-ly." name name) 'duration duration 'text string)) -(define-safe-public (make-span-event type span-dir) +(define-public (make-span-event type span-dir) (make-music type 'span-direction span-dir)) diff --git a/scm/output-lib.scm b/scm/output-lib.scm index b27c82bbc12c56bc17426f188643db97fc4619eb..5c33b60c5f2d45dd28e32459dbf564da2f7e0bec 100644 --- a/scm/output-lib.scm +++ b/scm/output-lib.scm @@ -767,7 +767,7 @@ extent of the grob to the extent of the staff." ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;; Color -(define-safe-public (color? x) +(define-public (color? x) (or (string? x) (and (list? x) @@ -777,28 +777,28 @@ extent of the grob to the extent of the staff." (every number? x) (every (lambda (y) (<= 0 y 1)) x)))) -(define-safe-public (rgb-color r g b #:optional (a #f)) +(define*-public (rgb-color r g b #:optional (a #f)) (if a (list r g b a) (list r g b))) ;; predefined colors -(define-safe-public black '(0.0 0.0 0.0)) -(define-safe-public white '(1.0 1.0 1.0)) -(define-safe-public red '(1.0 0.0 0.0)) -(define-safe-public green '(0.0 1.0 0.0)) -(define-safe-public blue '(0.0 0.0 1.0)) -(define-safe-public cyan '(0.0 1.0 1.0)) -(define-safe-public magenta '(1.0 0.0 1.0)) -(define-safe-public yellow '(1.0 1.0 0.0)) - -(define-safe-public grey '(0.5 0.5 0.5)) -(define-safe-public darkred '(0.5 0.0 0.0)) -(define-safe-public darkgreen '(0.0 0.5 0.0)) -(define-safe-public darkblue '(0.0 0.0 0.5)) -(define-safe-public darkcyan '(0.0 0.5 0.5)) -(define-safe-public darkmagenta '(0.5 0.0 0.5)) -(define-safe-public darkyellow '(0.5 0.5 0.0)) +(define-public black '(0.0 0.0 0.0)) +(define-public white '(1.0 1.0 1.0)) +(define-public red '(1.0 0.0 0.0)) +(define-public green '(0.0 1.0 0.0)) +(define-public blue '(0.0 0.0 1.0)) +(define-public cyan '(0.0 1.0 1.0)) +(define-public magenta '(1.0 0.0 1.0)) +(define-public yellow '(1.0 1.0 0.0)) + +(define-public grey '(0.5 0.5 0.5)) +(define-public darkred '(0.5 0.0 0.0)) +(define-public darkgreen '(0.0 0.5 0.0)) +(define-public darkblue '(0.0 0.0 0.5)) +(define-public darkcyan '(0.0 0.5 0.5)) +(define-public darkmagenta '(0.5 0.0 0.5)) +(define-public darkyellow '(0.5 0.5 0.0)) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/scm/paper.scm b/scm/paper.scm index bab054b04b3856fc7fec862dc84b48875f41905d..ba5816b6932c17c15202b0f23a221f2ac064bf72 100644 --- a/scm/paper.scm +++ b/scm/paper.scm @@ -15,8 +15,6 @@ ;;;; You should have received a copy of the GNU General Public License ;;;; along with LilyPond. If not, see . -(use-modules (lily safe-utility-defs)) - (define-public (set-paper-dimension-variables mod) (module-define! mod 'dimension-variables '(binding-offset @@ -102,7 +100,7 @@ (layout-set-absolute-staff-size (* (eval 'pt (current-module)) sz))) -(define-safe-public (set-global-staff-size sz) +(define-public (set-global-staff-size sz) "Set the default staff size, where @var{sz} is thought to be in points." (let* ((current-mod (current-module)) (pap (ly:parser-lookup '$defaultpaper)) @@ -337,7 +335,7 @@ ignoring @var{landscape?}." (else (ly:warning (G_ "Unknown paper size: ~a") name))))) -(define-safe-public (set-default-paper-size name . rest) +(define-public (set-default-paper-size name . rest) (let* ((pap (module-ref (current-module) '$defaultpaper)) (new-paper (ly:output-def-clone pap)) (new-scope (ly:output-def-scope new-paper))) diff --git a/scm/safe-lily.scm b/scm/safe-lily.scm deleted file mode 100644 index 021b9e218ecb03d2eff1aa7245ab85e5a5dba85a..0000000000000000000000000000000000000000 --- a/scm/safe-lily.scm +++ /dev/null @@ -1,214 +0,0 @@ -;;;; This file is part of LilyPond, the GNU music typesetter. -;;;; -;;;; Copyright (C) 2004--2022 Han-Wen Nienhuys -;;;; -;;;; LilyPond is free software: you can redistribute it and/or modify -;;;; it under the terms of the GNU General Public License as published by -;;;; the Free Software Foundation, either version 3 of the License, or -;;;; (at your option) any later version. -;;;; -;;;; LilyPond is distributed in the hope that it will be useful, -;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;;;; GNU General Public License for more details. -;;;; -;;;; You should have received a copy of the GNU General Public License -;;;; along with LilyPond. If not, see . - -(for-each - (lambda (sym) - (set! safe-objects (cons (cons sym (primitive-eval sym)) - safe-objects))) - '(ly:add-interface - ly:moment-add - ly:all-grob-interfaces - ly:all-output-backend-commands - ly:all-stencil-expressions - ly:bracket - ly:context-find - ly:context-id - ly:context-name - ly:context-parent - ly:context-property - ly:context-property-where-defined - ly:context-pushpop-property - ly:context-set-property! - ly:context-unset-property - ly:context? - ly:dimension? - ly:dir? - ly:moment-div - ly:duration-dot-count - ly:duration-factor - ly:duration-log - ly:duration-scale - ly:durationstring - ly:option-usage - ly:output-def-clone - ly:output-def-lookup - ly:output-def-scope - ly:output-description - ly:paper-book? - ly:prob-property - ly:output-def? - ly:paper-get-font - ly:paper-get-number - ly:paper-system? - ly:parser-parse-string - ly:pitch-alteration - ly:pitch-diff - ly:pitch-notename - ly:pitch-octave - ly:pitch-quartertones - ly:pitch-semitones - ly:pitch-steps - ly:pitch-transpose - ly:pitch -;;;; Han-Wen Nienhuys -;;;; -;;;; LilyPond is free software: you can redistribute it and/or modify -;;;; it under the terms of the GNU General Public License as published by -;;;; the Free Software Foundation, either version 3 of the License, or -;;;; (at your option) any later version. -;;;; -;;;; LilyPond is distributed in the hope that it will be useful, -;;;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;;;; GNU General Public License for more details. -;;;; -;;;; You should have received a copy of the GNU General Public License -;;;; along with LilyPond. If not, see . -;;; -;;; Author Ian Hulin -;;; Date 16 October 2011 -;;; - -(define-module (lily safe-utility-defs) - #:use-module (ice-9 curried-definitions) - #:use-module (ice-9 optargs) - #:export (safe-objects) - #:export-syntax (define-safe-public) - #:re-export-syntax (define*)) - - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -;; Safe definitions utility - -(define safe-objects - (list)) - -(define-syntax define-safe-public - (lambda (syntaks) - "Define a variable, export it, and mark it as safe, i.e., usable in -LilyPond safe mode. The syntax is the same as `define*-public'." - (syntax-case syntaks () - ((_ binding form ...) - (let ((name (let loop ((b #'binding)) - (syntax-case b () - ((head . rest) (loop #'head)) - (x #'x))))) - #`(begin - (define*-public binding form ...) - (set! safe-objects (acons '#,name #,name safe-objects)))))))) diff --git a/scripts/auxiliar/makelsr.py b/scripts/auxiliar/makelsr.py index 32ddb89648fe4bd127e24f1abb8b4d48940854f7..9c5c3400822d79384dd814a32c9e26bef27a41ce 100755 --- a/scripts/auxiliar/makelsr.py +++ b/scripts/auxiliar/makelsr.py @@ -74,8 +74,7 @@ from LSR_SNIPPETS_DIR run through convert-ly or from TOP_SOURCE_DIR/%(new_lys)s; if a snippet is present in both directories, the one from TOP_SOURCE_DIR/%(new_lys)s is preferred. All written snippets are copied in LY_OUTPUT -with appending translations from .texidoc files and are tested with -lilypond with flags %(lilypond_flags)s +with appending translations from .texidoc files. ''' % vars()) @@ -141,26 +140,6 @@ if not os.path.isdir(new_lys): sys.exit(3) -def find_or_create_temp_dir(requested_dir): - if os.path.isdir(requested_dir): - return requested_dir - if os.path.exists(requested_dir): # maybe a typo; play it safe - sys.stderr.write("Error: %s: not a directory\n" % requested_dir) - sys.exit(3) - try: - os.makedirs(requested_dir) - return requested_dir - except Exception as e: - sys.stderr.write("Warning: could not create directory: %s\n" % e) - dir = tempfile.gettempdir() - sys.stderr.write("Warning: could not use or create directory %s, using default %s\n" % ( - requested_dir, dir)) - return dir - - -ly_output = find_or_create_temp_dir(options.ly_output) - - def exit_with_usage(n=0): options_parser.print_help(sys.stderr) sys.exit(n) @@ -188,16 +167,8 @@ else: if not os.path.exists(convert_ly): sys.stderr.write("Warning: %s: no such file\n" % convert_ly) convert_ly = "convert-ly" -if options.lilypond_bin == "LY_PATH/lilypond": - lilypond_bin = os.path.join(options.bin_path, "lilypond") -else: - lilypond_bin = options.lilypond_bin -if not os.path.exists(lilypond_bin): - sys.stderr.write("Warning: %s: no such file\n" % lilypond_bin) - lilypond_bin = "lilypond" -sys.stderr.write("Using %s, %s\n" % (convert_ly, lilypond_bin)) +sys.stderr.write("Using %s\n" % convert_ly) -unsafe = [] unconverted = [] notags_files = [] @@ -258,7 +229,6 @@ def escape_backslashes_in_header(snippet): def copy_ly(srcdir, name, tags): - global unsafe global unconverted dest = os.path.join(lys_from_lsr, name) tags = ', '.join(tags) @@ -286,13 +256,6 @@ def copy_ly(srcdir, name, tags): unconverted.append(dest) if os.path.exists(dest + '~'): os.remove(dest + '~') - # no need to check snippets from Documentation/snippets/new - if not "new" in srcdir: - e = os.system( - "%s %s -o %s '%s'" % - (lilypond_bin, lilypond_flags, ly_output, dest)) - if e: - unsafe.append(dest) def read_source_with_dirs(src): @@ -373,12 +336,3 @@ if unconverted: if notags_files: sys.stderr.write('No tags could be found in these files:\n') sys.stderr.write('\n'.join(notags_files) + '\n\n') -if unsafe: - dump_file_list('lsr-unsafe.txt', unsafe) - sys.stderr.write(''' - -Unsafe files printed in lsr-unsafe.txt: CHECK MANUALLY! - git add %(lys_from_lsr)s/*.ly - xargs git diff HEAD < lsr-unsafe.txt - -''' % vars()) diff --git a/scripts/lilypond-book.py b/scripts/lilypond-book.py index 7c71e1e0af6438807bd413ba4e894cf07d177ce6..172ed6c9a8baa349d43be38265d80bf4c2557eee 100644 --- a/scripts/lilypond-book.py +++ b/scripts/lilypond-book.py @@ -233,7 +233,7 @@ def get_option_parser(): default=False) p.add_option('-s', '--safe', - help=_("compile snippets in safe mode"), + help=_("removed; using this option results in an error"), action="store_true", dest="safe_mode", default=False) @@ -583,6 +583,14 @@ def do_options(): opt_parser = get_option_parser() (global_options, args) = opt_parser.parse_args() + if global_options.safe_mode: + error("""Due to security vulnerabilities deemed unfixable +by the developers, LilyPond's safe mode was removed in +version 2.23.12 in order not to provide a false sense of +security. If you need to compile an untrusted .ly file, please +use an external tool to run LilyPond in a sandbox.""") + raise SystemExit + global_options.information = { 'program_version': program_version, 'program_name': ly.program_name} @@ -674,7 +682,7 @@ def main(): global_options.process_cmd += ( ' '.join([' -I %s' % mkarg(p) for p in global_options.include_path]) + ' -daux-files ') - + global_options.formatter.process_options(global_options) if global_options.lily_loglevel: