lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5980.1191770461@turing-police.cc.vt.edu>
Date: Sun, 07 Oct 2007 11:21:01 -0400
From: Valdis.Kletnieks@...edu
To: "Geo." <geoincidents@....net>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

On Sat, 06 Oct 2007 12:43:16 EDT, "Geo." said:

> If the application is what exposes the URI handling routine to untrusted 
> code from the internet, then it's the application's job to make sure that 
> code is trusted before exposing system components to it's commands, no?

I think that given a system service that says "I will handle a mailto: URI",
that a programmer can *reasonably* expect the following:

1) That it will be handed to a program that actually does e-mail, and not
a calculator.  calc.exe hasn't *yet* followed the programming aphorism that
every program grows until it can read e-mail.

2) That said program can protect itself against overtly malicious input.

"When people pcp a chocky in their mouth, they don't expect steel bolts to
string out and pierce their cheeks" -- Monty Python.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ