[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype
From:       Valdis.Kletnieks () vt ! edu
Date:       2007-10-07 15:21:01
Message-ID: 5980.1191770461 () turing-police ! cc ! vt ! edu
[Download RAW message or body]


On Sat, 06 Oct 2007 12:43:16 EDT, "Geo." said:

> If the application is what exposes the URI handling routine to untrusted 
> code from the internet, then it's the application's job to make sure that 
> code is trusted before exposing system components to it's commands, no?

I think that given a system service that says "I will handle a mailto: URI",
that a programmer can *reasonably* expect the following:

1) That it will be handed to a program that actually does e-mail, and not
a calculator.  calc.exe hasn't *yet* followed the programming aphorism that
every program grows until it can read e-mail.

2) That said program can protect itself against overtly malicious input.

"When people pcp a chocky in their mouth, they don't expect steel bolts to
string out and pierce their cheeks" -- Monty Python.

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic