On Jan 3, 2006, at 6:08 PM, Mark Wieder wrote:
Dave-
Tuesday, January 3, 2006, 1:02:42 AM, you wrote:
Unfortunately, I think someone could also add links in web pages to
stacks that read/delete your hard drive contents, install and launch
other apps, etc.
Yes, that was my first thought as well. I'm quite uncomfortable with
the idea of having web pages that launch executable programs. Does the
mime type possibly launch DreamCard in secureMode? That would offer at
least some protection.
Well, yes... you can format the hard drive with some shell(). Since
we code the AppleEvent handler we can set the secureMode on there and
also, you can se the URL and not trust it. For example, if someone is
setting this up for some local school educational resources, then the
handler could only trust some given domain...
And as Richard asked, I discovered a way to set everything
programaticaly from inside a Revolution Stack. I found which plists
to change, what to add and how to refresh LaunchServices after that,
so anyone running a stack actually add such holes. It's easier than
you think... I am not putting those scripts in the list, although I
made some nice stack demoing the stuff.
If someone with a usefull idea for this kind of solution needs this
kind of scripts, just contact me off list and I will assist. This is
the same way that apple lauchs applescript:// URLs (yes, one can
launch applescripts... I do think they open in the editor instead of
execute...)
I was thinking more along the lines of easying the user experience,
but it's a big security hole... not a hole because it's not a bug,
this behaviour is akin to malware/trojan behaviour if used in a bad
manner. The idea came to me after playing the Second Life Online
Game... it's a very nice game and it register a secondlife://
protocol so that people can make pages and link to things inside the
game... I thought how wonderfull....
cheers
andre
--
-Mark Wieder
[EMAIL PROTECTED]
_______________________________________________
use-revolution mailing list
use-revolution@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
_______________________________________________
use-revolution mailing list
use-revolution@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
