On Sat, 06 Oct 2007 12:43:16 EDT, "Geo." said: > If the application is what exposes the URI handling routine to untrusted > code from the internet, then it's the application's job to make sure that > code is trusted before exposing system components to it's commands, no?
I think that given a system service that says "I will handle a mailto: URI", that a programmer can *reasonably* expect the following: 1) That it will be handed to a program that actually does e-mail, and not a calculator. calc.exe hasn't *yet* followed the programming aphorism that every program grows until it can read e-mail. 2) That said program can protect itself against overtly malicious input. "When people pcp a chocky in their mouth, they don't expect steel bolts to string out and pierce their cheeks" -- Monty Python.
pgp0omixJD1mc.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
