• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: disk:// and help:// security problems
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: disk:// and help:// security problems

  • Subject: Re: disk:// and help:// security problems
  • From: Chilton Webb <email@hidden>
  • Date: Tue, 18 May 2004 09:34:38 -0500
Hi Charles,

During the Y2K scare, many US Banks were required to show that a third party had performed a Y2K date and security test on any publicly available machines. One of my clients was doing these tests for banks in Oklahoma. It was pretty funny, actually, because if a bank had a certain version IIS installed without the latest security patches, they'd automatically fail the test, because there was an app on it that could execute any script on the server, regardless of the file's location (like in an open dropbox).

This was considered the absolute worst security problem ever created, and I'm as amazed as everyone else that Apple decided to put this into MacOSX.

Here's a thought--Apple could remove Help altogether. The Help application seems to be a hybrid of Apple's previous 'Guide' technology and a web browser/search engine, failing to achieve any of these goals. Instead of Help, Apple could add an option to the Finder's 'Search' screen, for searching Help & Documentation. The Help key (command+?) could then launch the 'Find' box with the Help & Docs option selected. The Help menu could have links into the documents directly (using #s).

What about launching AppleScripts from Help? The reason this worked at all under the Guide metaphor was that the guide could draw on the screen, point at things, pull down menus, and stay the hell out of the way while the actions were executing, but be visible enough that the user could read about what they're seeing. With the current Help design, the Help window obscures everything, and the user either finds themselves with suddenly opened windows (but unable to read why this happened) or the Help app stays in the foreground while the script does something in the background. Neither of these is actually helpful. So my vote would be for Apple to abandon the idea of running scripts and launching apps from within the Help documentation, and focus instead on writing better help documentation.

-Chilton

On May 17, 2004, at 8:26 PM, Charles Srstka wrote:
I'll go further and say that it's not a problem with disk:// either, which is actually a handy feature. The problem is with help:. No matter what, it is *never* a good idea to have it possible to execute arbitrary scripts via a URL. I really can't imagine what the engineers were thinking when they implemented this.
_______________________________________________
cocoa-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/cocoa-dev
Do not post admin requests to the list. They will be ignored.

  • Follow-Ups:
    • Re: disk:// and help:// security problems
      • From: Charles Srstka <email@hidden>
    • Re: disk:// and help:// security problems
      • From: Charles Srstka <email@hidden>
References: 
 >disk:// and help:// security problems (From: "Michael Rothwell" <email@hidden>)
 >Re: disk:// and help:// security problems (From: Michael Rothwell <email@hidden>)
 >Re: disk:// and help:// security problems (From: Charles Srstka <email@hidden>)

  • Prev by Date: Re: improving numerical applications performance
  • Next by Date: Re: Preventing NSTableView hilighting
  • Previous by thread: Re: disk:// and help:// security problems
  • Next by thread: Re: disk:// and help:// security problems
  • Index(es):
    • Date
    • Thread