• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: AppleScript & HTML Again...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AppleScript & HTML Again...

  • Subject: Re: AppleScript & HTML Again...
  • From: "John C. Welch" <email@hidden>
  • Date: Mon, 29 Mar 2004 12:38:58 -0600
On 3/29/04 11:20 AM, "Peter Bunn" <email@hidden> wrote:

>
> I have (of course) read and saved every post in this thread, but... when
> the fur stops flying, it would be extremely helpful for me if there might
> be _some_ consensus and summary on whether there are ways to improve ML
> (without completely hobbling it) that would make a _meaningful_
> difference in the security provided.

Well, the one way that would allow for far greater security and automated
operation would be to require the explicit declaration of the applications
that ML works with, and only have it work with those. For instance..if you
want ML to open iCal, then you have to explicitly add iCal to the "approved"
list. If you make ML a bundle, you could store this list in the bundle, so
it would be harder to sneak in a bogus preferences list.

In this manner, you then have to have three things correct:

1) protocol name
2) hard drive name
3) Application name.

While you can get lucky with 1 and 2 with relative ease, 3 gets a lot
harder. If you eliminate the ability to use relative paths, and require full
paths with the hard drive name, then you make a cracker's job harder still,
as now they MUST include the hard drive name.

I would also very explicitly ONLY allow applications in /Applications or a
home directory path, (starts with /Users) tio be run. Explicitly exclude
anything in /Private, /Library, or /System. I would make excluding /Volumes
an option.

Just doing that would handle a HUGE chunk of the issues I have with ML, and
would limit the ability to do real damage.

By default, ML should not be able to open any application that can handle an
open event.

john

--
Nihil curo de ista tua stulta superstitione.
(I'm not interested in your dopey religious cult.)

Jeff La Grua
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.

References: 
 >Re: AppleScript & HTML Again... (From: Peter Bunn <email@hidden>)

  • Prev by Date: Re: Does Powerpoint supports Apple scripts
  • Next by Date: Re: AppleScript & HTML Again...
  • Previous by thread: Re: AppleScript & HTML Again...
  • Next by thread: Re: AppleScript & HTML Again...
  • Index(es):
    • Date
    • Thread