Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Graham Cox <email@hidden>
- Date: Wed, 10 Feb 2016 12:53:19 +1100
Wait a sec, I think I see an easy solution to this.
The appcast supplies the URL for the release notes, so that can be updated to https without having to republish the app itself. That makes this a lot less trouble than it seems.
Am I right?
—Graham
> On 10 Feb 2016, at 12:49 PM, Graham Cox <email@hidden> wrote:
>
>
>> On 10 Feb 2016, at 12:22 PM, Jens Alfke <email@hidden> wrote:
>>
>> It’s to display the release notes, which come from an RSS entry in the feed and are in HTML format. And Sparkle had a couple of bugs relating to that: (a) the WebView was configured to allow JavaScript, and (b) their delegate handled navigation requests to file: URLs by sending them to the Finder. This meant that a malicious feed entry could run a script to download some malware and then tell the Finder to launch the downloaded malware installer.
>>
>
>
> Got it, so the signing aspect is irrelevant.
>
> Already updated to use https, but of course the problem is that in itself requires a Sparkle update…
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden