Hello team,
perhaps prematurely, perhaps late, I am opening an important research and
testing topic: the security of the scripting facility. The questions that
worry me are the following:
Q1: Can there be a malicious script in the mind map, one that tries to wipe
out a user's hard drive?
Q2: Can the scripts access all the public APIs of FreeMind Java code? If so,
then when we change the APIs in a future release, we break a lot of user
scripts.
Q3: Related to Q1, is there a way to restrict the access of the scripting
system to Java system classes, like File?
Q4: Related to Q2, is there a way to restrict the access of the scripting
system to a selected set of public interfaces?
IMO all these questions need to be addressed before we can release the
scripting system to the public. The worst, default solution that comes to my
mind is to switch off the scripting facility by default, making it possible
for the user to enable it; when the user tries to enable the scripting
facility, she gets a warning that she should use the scripting facility at
her own risk.
Packages like Microsoft Office and OpenOffice can be looked for inspiration
and a model for how to solve these issues.
Best regards,
Dan
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Freemind-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/freemind-developer
