One cute hack for MacOS X (... or nice internet protocol helper hacks...)
soapdog at mac.com
Tue Jan 3 14:25:08 CST 2006
On Jan 3, 2006, at 6:08 PM, Mark Wieder wrote:
> Tuesday, January 3, 2006, 1:02:42 AM, you wrote:
>> Unfortunately, I think someone could also add links in web pages to
>> stacks that read/delete your hard drive contents, install and launch
>> other apps, etc.
> Yes, that was my first thought as well. I'm quite uncomfortable with
> the idea of having web pages that launch executable programs. Does the
> mime type possibly launch DreamCard in secureMode? That would offer at
> least some protection.
Well, yes... you can format the hard drive with some shell(). Since
we code the AppleEvent handler we can set the secureMode on there and
also, you can se the URL and not trust it. For example, if someone is
setting this up for some local school educational resources, then the
handler could only trust some given domain...
And as Richard asked, I discovered a way to set everything
programaticaly from inside a Revolution Stack. I found which plists
to change, what to add and how to refresh LaunchServices after that,
so anyone running a stack actually add such holes. It's easier than
you think... I am not putting those scripts in the list, although I
made some nice stack demoing the stuff.
If someone with a usefull idea for this kind of solution needs this
kind of scripts, just contact me off list and I will assist. This is
the same way that apple lauchs applescript:// URLs (yes, one can
launch applescripts... I do think they open in the editor instead of
I was thinking more along the lines of easying the user experience,
but it's a big security hole... not a hole because it's not a bug,
this behaviour is akin to malware/trojan behaviour if used in a bad
manner. The idea came to me after playing the Second Life Online
Game... it's a very nice game and it register a secondlife://
protocol so that people can make pages and link to things inside the
game... I thought how wonderfull....
> -Mark Wieder
> mwieder at ahsoftware.net
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
More information about the use-livecode