• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Security Update [Was: Re: Script Library Search Order]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Update [Was: Re: Script Library Search Order]

  • Subject: Re: Security Update [Was: Re: Script Library Search Order]
  • From: has <email@hidden>
  • Date: Mon, 25 Jan 2016 20:11:45 +0000
On 22/01/2016 02:02, Chris Page wrote:

On Jan 20, 2016, at 5:58 AM, has <email@hidden> wrote:

Martin Orpen wrote:


Today’s Security Update:

OSA Scripts
Available for:  OS X El Capitan v10.11 to v10.11.2
Impact:  A quarantined application may be able to override OSA script
libraries installed by the user
Description:  An issue existed when searching for scripting
libraries. This issue was addressed through improved search order and
quarantine checks.
CVE-ID
CVE-2016-1729 : an anonymous researcher

[The System/Security Update] just means user-installed libraries can now accidentally mask library-supplied ones...

Was “library-supplied” supposed to be “application-supplied”?
Yes. Typo. And yes, the masking problem remains a masking problem in other respects. Short version: having arbitrary search path injection is just a plain Bad Idea. As if the lessons of having arbitrary keyword injection haven't had the last 20 years to be fully learned. I'm not going to bother arguing: either you accept and admit it's a problem for yourself, and replace it with a sane, predictable, safe alternative, or you don't. The road to software hell is paved with extreme programmer cleverness, and I've other things to do than play street sweeper when it won't do any good anyway. (I'm already going against all sanity and good judgement writing these damn 'standard' libraries...) 


...plus searching every .app bundle _automatically_ makes the initialization process needlessly slow/stale.

Have you observed a specific performance issue with library lookup on 10.11-10.11.2 that you can report? There are several strategies in place to make it efficient.
Like caching? That merely replaces one problem with another. Honestly, AppleScript is fractal brokenness all the way down; beyond ensuring the security hole is plugged I'm doing my best to ignore individual instances of AppleScript Lame and Fail, as down that road waits only total insanity and I've enough screws loose as it is. 

Regards,

has
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users

This email sent to email@hidden
  • Follow-Ups:
    • Re: Security Update [Was: Re: Script Library Search Order]
      • From: Chris Page <email@hidden>
References: 
 >Re: Security Update [Was: Re: Script Library Search Order] (From: has <email@hidden>)
 >Re: Security Update [Was: Re: Script Library Search Order] (From: Chris Page <email@hidden>)

  • Prev by Date: Good language UX != rocket science [was: Re: Handlers in a variable]
  • Next by Date: Re: Security Update [Was: Re: Script Library Search Order]
  • Previous by thread: Re: Security Update [Was: Re: Script Library Search Order]
  • Next by thread: Re: Security Update [Was: Re: Script Library Search Order]
  • Index(es):
    • Date
    • Thread