One cute hack for MacOS X (... or nice internet protocol helper hacks...)

Andre Garzia soapdog at mac.com
Tue Jan 3 14:25:08 CST 2006


On Jan 3, 2006, at 6:08 PM, Mark Wieder wrote:

> Dave-
>
> Tuesday, January 3, 2006, 1:02:42 AM, you wrote:
>
>> Unfortunately, I think someone could also add links in web pages to
>> stacks  that read/delete your hard drive contents, install and launch
>> other apps, etc.
>
> Yes, that was my first thought as well. I'm quite uncomfortable with
> the idea of having web pages that launch executable programs. Does the
> mime type possibly launch DreamCard in secureMode? That would offer at
> least some protection.
>

Well, yes... you can format the hard drive with some shell(). Since  
we code the AppleEvent handler we can set the secureMode on there and  
also, you can se the URL and not trust it. For example, if someone is  
setting this up for some local school educational resources, then the  
handler could only trust some given domain...

And as Richard asked, I discovered a way to set everything  
programaticaly from inside a Revolution Stack. I found which plists  
to change, what to add and how to refresh LaunchServices after that,  
so anyone running a stack actually add such holes. It's easier than  
you think... I am not putting those scripts in the list, although I  
made some nice stack demoing the stuff.

If someone with a usefull idea for this kind of solution needs this  
kind of scripts, just contact me off list and I will assist. This is  
the same way that apple lauchs applescript://  URLs (yes, one can  
launch applescripts... I do think they open in the editor instead of  
execute...)

I was thinking more along the lines of easying the user experience,  
but it's a big security hole... not a hole because it's not a bug,  
this behaviour is akin to malware/trojan behaviour if used in a bad  
manner. The idea came to me after playing the Second Life Online  
Game... it's a very nice game and it register a secondlife://  
protocol so that people can make pages and link to things inside the  
game... I thought how wonderfull....

cheers
andre


> -- 
> -Mark Wieder
>  mwieder at ahsoftware.net
>
>
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your  
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution




More information about the use-livecode mailing list