> On 10 Feb 2016, at 13:45, sqwarqDev <sqwarq...@icloud.com> wrote: > > >> On 10 Feb 2016, at 09:08, Charles Srstka <cocoa...@charlessoft.com> wrote: >> >> If your app is accessing your appcast via HTTP, that could be intercepted >> just the same as your relnotes, and then the attacker could set the relnotes >> URL to whatever s/he wants. > > > Can I just double-check my understanding here: > > 1. If the SUFeedURL uses https, the app is not vulnerable. > > 2. If 1 is true, neither of these matter: > 2.1 the version of Sparkle > 2.2 whether the release notes are http or https > >
1. true 2. By my reading, not true. if the app notes are http then they can be spoofed and inject javascript via the webkit widget to run nefarious code. Making both https works as neither can be spoofed, upgrading sparkle fixes the issue even if the notes are not https. Until someone finds the next exploit, thus meaning all https all the time is a better way to go. _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
