Re: disk:// and help:// security problems
Re: disk:// and help:// security problems
- Subject: Re: disk:// and help:// security problems
- From: Charles Srstka <email@hidden>
- Date: Mon, 17 May 2004 23:19:24 -0500
On May 17, 2004, at 8:53 PM, Allan Odgaard wrote:
On 18. May 2004, at 0:23, Peter Wollschlaeger wrote:
1) Apple's Safari developers remove this kind of conveninent (?) but
boneheaded feature
I think the problem is with the Help Viewer. Custom handlers for URL
schemes are useful in many different contexts. But the scheme handler
should never allow the URL to specify code to be executed (which the
help viewer does).
As a programmer I would say it's not a bug it's a feature.
If you don't like it, just turn it off ("Open 'safe' files after
download").
And pay attention to rule 1: Never download from a source you can't
trust.
Did you read the exploit? I can post an innocently looking http link
to this forum, and by clicking it (w/o taking further actions) you
allow me to execute custom code on your machine.
I click dozen of links every day from sources which are impossible for
me to verify in advance, and I am not sure that this "feature" can be
easily disabled, cause it is not about opening files I download, it is
about having the browser follow a link using Launch Services, which I
do not think can be disabled, and if it could, it would also break
ftp:, mailto:, or other stuff not handled by Safari itself.
You can disable it by downloading More Internet from
http://www.monkeyfood.com and using it to change the helper app for
"help:" from Help Viewer to something else.
Charles
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.