Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Graham Cox <email@hidden>
- Date: Wed, 10 Feb 2016 12:49:03 +1100
> On 10 Feb 2016, at 12:22 PM, Jens Alfke <email@hidden> wrote:
>
> It’s to display the release notes, which come from an RSS entry in the feed and are in HTML format. And Sparkle had a couple of bugs relating to that: (a) the WebView was configured to allow JavaScript, and (b) their delegate handled navigation requests to file: URLs by sending them to the Finder. This meant that a malicious feed entry could run a script to download some malware and then tell the Finder to launch the downloaded malware installer.
>
Got it, so the signing aspect is irrelevant.
Already updated to use https, but of course the problem is that in itself requires a Sparkle update…
—Graham
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden