Add a comment to the Lemon documentation regarding the security of the

lemon.exe command-line tool. FossilOrigin-Name: 4c2458c1908181dc2f6bc594395c06d015fcbd78f5d3472f07a6a3909be9673c
2025-07-29 08:01:23 +03:00 · 2017-06-01 01:53:19 +00:00
parent cdbb126be7
commit c5e56b3473
3 changed files with 27 additions and 8 deletions
--- a/doc/lemon.html
+++ b/doc/lemon.html
@ -23,6 +23,26 @@ or embedded controllers.</p>
 <p>This document is an introduction to the Lemon
 parser generator.</p>

+<h2>Security Note</h2>
+
+<p>The language parser code created by Lemon is very robust and
+is well-suited for use in internet-facing applications that need to
+safely process maliciously crafted inputs.
+
+<p>The "lemon.exe" command-line tool itself works great when given a valid
+input grammar file and almost always gives helpful
+error messages for malformed inputs.  However,  it is possible for
+a malicious user to craft a grammar file that will cause 
+lemon.exe to crash.
+We do not see this as a problem, as lemon.exe is not intended to be used
+with hostile inputs.
+To summarize:</p>
+
+<ul>
+<li>Parser code generated by lemon &rarr; Robust and secure
+<li>The "lemon.exe" command line tool itself &rarr; Not so much
+</ul>
+
 <h2>Theory of Operation</h2>

 <p>The main goal of Lemon is to translate a context free grammar (CFG)