> On Jun 24, 2016, at 7:47 PM, Quincey Morris
> <[email protected]> wrote:
>
> On Jun 24, 2016, at 16:24 , Charles Srstka <[email protected]> wrote:
>>
>> How could this be a security threat, when a malicious program could just set
>> canChooseDirectories to true, open the panel to the app’s parent directory,
>> and spearphish the user into clicking OK on that?
>
> (I wasn’t referring to opening apps, but to files generally.)
>
> Clicking OK won’t do anything until the user selects something, and the app
> can’t preset or change the selection. Maybe my logic is incorrect, but this
> seems to me to prevent attempts to fool the user into choosing something
> unintended.
func readTheFile(url: NSURL) {
do {
let data = try NSData(contentsOfURL: url, options: [])
guard let string = String(data: data, encoding: NSUTF8StringEncoding)
else {
throw NSCocoaError.FileReadCorruptFileError
}
print("Contents of file: \(string)")
} catch {
print("Error occurred: \(error)")
}
}
let url = NSURL(fileURLWithPath: "/path/to/MyGreatFile.txt")
print("First attempt:")
readTheFile(url)
let dirURL: NSURL = {
while true {
let openPanel = NSOpenPanel()
openPanel.canChooseDirectories = true
openPanel.directoryURL = url.URLByDeletingLastPathComponent
openPanel.prompt = "OK"
openPanel.message = "Please click OK"
let answer = openPanel.runModal()
if answer == NSFileHandlingPanelOKButton, let openPanelURL =
openPanel.URL where openPanelURL == url.URLByDeletingLastPathComponent {
return openPanelURL
} else {
let alert = NSAlert()
alert.messageText = "Hey buddy, click the OK button when I tell you
to, okay?"
alert.runModal()
}
}
}()
print("Second attempt:")
dirURL.startAccessingSecurityScopedResource()
readTheFile(url)
dirURL.stopAccessingSecurityScopedResource()
--
After clicking OK when asked, this outputs:
First attempt:
Error occurred: Error Domain=NSCocoaErrorDomain Code=257 "The file
“MyGreatFile.txt” couldn’t be opened because you don’t have permission to view
it." UserInfo={NSFilePath=/path/to/MyGreatFile.txt,
NSUnderlyingError=0x600000046750 {Error Domain=NSPOSIXErrorDomain Code=1
"Operation not permitted"}}
Second attempt:
Contents of file: This is my great file!
Charles
_______________________________________________
Cocoa-dev mailing list ([email protected])
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to [email protected]
