load command security holes?

Brian Yennie briany at qldlearning.com
Tue Jul 27 15:10:33 CDT 2004


Mark,

Using load URL shouldn't ever be able to execute any code or open a 
stack. I would be different if you were using a "go stack" or "open 
stack" with a URL, but load URL should only download, and won't treat 
such as a stack unless you explicitly address it that way in your own 
code.

HTH,
Brian

> How secure is the load command in Rev standalone applications?
> When I use "load URL myURL," is it possible ever to download a harmful 
>  executable application that could some how escape or run from or 
> within the cache? I'm not considering that the file being downloaded 
> would be a stack. In other words it should only be a text file or an 
> MTML file. But what would happen if a user created a link to a stack 
> file that would then save itself or do something else? Would that 
> stack file somehow run or start on its own while in the cache? 
> Something like that could be used to destroy global vars in the 
> simplest form of malicious activity.



More information about the use-livecode mailing list