Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to get in touch regarding a security concern #105

Open
zidingz opened this issue Sep 29, 2021 · 6 comments
Open

How to get in touch regarding a security concern #105

zidingz opened this issue Sep 29, 2021 · 6 comments

Comments

@zidingz
Copy link

zidingz commented Sep 29, 2021

Hey there!

I belong to an open source security research community, and a member (@wiz123) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)
@moinejf
Copy link
Collaborator

moinejf commented Sep 29, 2021

I don't see the use of this SECURITY.md file: my email can be found from my site (its reference is in README.md).
Up to now, I had reports from various security research communities, but none was containing critical bugs: crashing the program does not destroy any information in the computers of the users, and this cannot extract private data.
On the other side, yes, some buffer overflows have been reported, but I don't see how a malware could be inserted in the readable texts my users expect.

@Iiridayn
Copy link

Iiridayn commented Aug 2, 2022

I was considering running this on a server which accepts arbitrary user input without authentication. Crashing the program and buffer overflows can often be turned into arbitrary code execution, which would allow anybody with access to my website to run arbitrary code as the user account which runs abcm2ps. I'd like to not have everybody on the Internet running whatever code they'd like on my server.

@moinejf
Copy link
Collaborator

moinejf commented Aug 2, 2022

I don't see running abcm2ps in a server as a good idea. It is mainly a batch program that is better run in users computers.
If you want to offer music from a server, it is better to move the computation to the users, and the best way for that is ECMAscript. That's why I created abc2svg.

@JamieSlome
Copy link

Just to add to this, the report we received ended up being invalid - so nothing to share from our side.

@Iiridayn
Copy link

Iiridayn commented Aug 2, 2022

@moinejf yeah, I found abc2svg a couple hours later. I abandoned ABC though as I couldn't get verse+chorus repeated parts to render after several hours with either abc2svg or abcm2ps using the P repetitions thing. I may add ABC support later as a side feature, but it will not be the core of the site as I had been previously considering.

@moinejf
Copy link
Collaborator

moinejf commented Aug 3, 2022

What is the problem with abc2svg? Have you any example?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Iiridayn @moinejf @zidingz @JamieSlome