• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: AppleScript & HTML Again...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AppleScript & HTML Again...

  • Subject: Re: AppleScript & HTML Again...
  • From: Nigel Smith <email@hidden>
  • Date: Fri, 26 Mar 2004 15:55:45 +0000
On 26/3/04 12:46, "John C. Welch" <email@hidden> wrote:

> No, it's about me wanting a very clear explanation from the author of how I
> cannot create bogus URLs to do harm with this.

From the incomplete but fairly extensive testing I've just done (on someone
else's machine, just in case!) it would appear that:

The open: protocol routes through the Finder. So you don't seem to be able
to, for example, call osascript and pass it parameters. Ditto for any other
application.

You can open applications and files. If those files or applications
automatically do something when you double-click them in the Finder, they
can do it from a link. If they can't from the Finder, they can't from a
link.

So it looks like (but it would be great if Peter could confirm this) you
can't create "bogus URLs". You can, however, run a "nasty" application that
is already on the disk -- so if I had an AppleScript app called "killMyDisk"
you could create a link that made it run when I loaded your web page.

But -- horrible thought -- a web page could put that NastyApp on your disk
for you, and then run it. Imagine a webpage which contained a JavaScript to
open the location to download NastyApp and then, short time later, opened
the location "open:/Users/xxx/Desktop/NastyApp". Yes, you would have to
guess the absolute location of the downloaded app, but that is obscurity,
not security.

I'm no JavaScript guru, but I reckon the above is easily done. Yes, the
hacker would have to get you to their web page (or email it), have to guess
or get your username and guess your download location, and would probably
have more success by emailing the script to a million people as an
attachment. But it *could* be done, and if it isn't it is because of
obscurity, not security.

I've deleted Missing Link.

Nigel
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.

  • Follow-Ups:
    • Re: AppleScript & HTML Again...
      • From: Michael Terry <email@hidden>
    • Re: AppleScript & HTML Again...
      • From: "John C. Welch" <email@hidden>
References: 
 >Re: AppleScript & HTML Again... (From: "John C. Welch" <email@hidden>)

  • Prev by Date: Re: AppleScript & HTML Again...
  • Next by Date: Re: AppleScript & HTML Again...
  • Previous by thread: Re: AppleScript & HTML Again...
  • Next by thread: Re: AppleScript & HTML Again...
  • Index(es):
    • Date
    • Thread