Donn just made it possible to share and edit scripts again. This is pretty insecure at the moment, so we need to do some tweaks to plug the most serious holes. We discussed some ideas with Donn which I am presenting here.
The thing we want to protect the users against is unknowingly or
automatically running malicious scripts they get from sharing.
The "unknowingly" part we can't cover completely because of social
engineering ("here's how you edit a script, just copy paste this stuff
and Chandler will dance for you"). However, we can make it so that a
user doesn't run a malicious script by accident (or make it much harder
to do so by accident).
Barring programming mistakes we should be able to protect the user
completely from automatically running scripts they did not intend to run.
1. When you subscribe to a share, Chandler should never overwrite a
script that is created either by OSAF dev or you. This is needed so a
builtin or a script created by you bound to F1 (for example) won't be
silently replaced by something malicious.
2. When you do get a script in a share, it should be disabled by
default. Suppose someone shared a script with you bound for F5 (which
you didn't yet have bound to anything) and you accidentally pressed F5
at some point causing the malicious script to run without you realizing
it. Obviously users need a way be able to enable a script for sharing to
make sense.
3. Scripting (?) code should detect and flag cases for user's attention
where the same key has been bound to more than one script. If we just
randomly run one script bound to a key we might end up running something
the user did not intend.
4. Scripts do not run without a user explicitly starting a script. This
is actually implemented now.
--
Heikki Toivonen
signature.asc
Description: OpenPGP digital signature
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Open Source Applications Foundation "Dev" mailing list http://lists.osafoundation.org/mailman/listinfo/dev
