Re: disk:// and help:// security problems
Re: disk:// and help:// security problems
- Subject: Re: disk:// and help:// security problems
- From: Allan Odgaard <email@hidden>
- Date: Tue, 18 May 2004 03:53:16 +0200
On 18. May 2004, at 0:23, Peter Wollschlaeger wrote:
1) Apple's Safari developers remove this kind of conveninent (?) but
boneheaded feature
I think the problem is with the Help Viewer. Custom handlers for URL
schemes are useful in many different contexts. But the scheme handler
should never allow the URL to specify code to be executed (which the
help viewer does).
As a programmer I would say it's not a bug it's a feature.
If you don't like it, just turn it off ("Open 'safe' files after
download").
And pay attention to rule 1: Never download from a source you can't
trust.
Did you read the exploit? I can post an innocently looking http link to
this forum, and by clicking it (w/o taking further actions) you allow
me to execute custom code on your machine.
I click dozen of links every day from sources which are impossible for
me to verify in advance, and I am not sure that this "feature" can be
easily disabled, cause it is not about opening files I download, it is
about having the browser follow a link using Launch Services, which I
do not think can be disabled, and if it could, it would also break
ftp:, mailto:, or other stuff not handled by Safari itself.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.