| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Oct 2007 23:18:38 +0200 From: Thierry Zoller <Thierry@...ler.lu> To: "KJK::Hyperion" <hackbunny@...tpj.org> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Dear KJK, KH> I repeat. Nowhere is said that ShellExecute (the default "run stuff" KH> function) takes URLs. Nowehere is determined that it does NOT take URLS. You forget a consideration, an Important one in my opinion. This is not straight forward ShellExecute(), it's a shellexecute call to a Handler. This makes a world of difference because you cannot tell what the handler does (at least you are not supposed to). I mean for example this one, the mailto: handler is defined on my box I am writing from as : [HKEY_CLASSES_ROOT\mailto\shell\open\command] @="C:\\Programme\\The Bat!\\thebat.exe\" %1 As a thid party developer I am not supposed to know what that application does as a third party developer I am not supposed to collect every possible application on earth and test what stuff I have to filter out to protect THAT application. Still with me ? *I* think, normalistaion _in this particular case_ has to be done by the function. Sorry my opinion. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
Powered by blists - more mailing lists