Am 20.07.2011 03:30, schrieb Anthony Lieuallen:
Can you be more specific? Do you mean [1]? That seems to be an
information disclosure problem, acceptable in some situations. If you
can come up with a different version that works and doesn't have that
specific problem, please do.
Hi,
yes, that's the discussion I was referring to. As I already wrote in the
e-mail, I don't understand the code, so I can't improve it either. The
worst problem about not understanding it is that I've got no idea why
that script is a "big security risk", if this term is rectified, if that
is a problem that applies for me and so on.
I'm not new to JS or Greasemonkey and I'm certainly not what you'd call
a rookie, but I'm just as well far from what you'd call a pro. You have
to imagine that I now see code which I don't understand, and someone
says "it is a big security risk to leave this userscript unfixed".
Wouldn't you - like me - wonder what is worse? I've got those three
alternatives:
1) Use my code that is short, easy, independent from others and at least
logically appears to be safe for me.
2) Use code written by someone else, so complex that I don't get the
hang of how it works in detail, dependant on various features like JSON,
RegExp, eventListeners and messages that could change or make the script
break, and also code that wasn't maintained for months in spite of being
said to be "a big security risk".
3) Get the complete HTML source and extract the value by regular
expressions, which is IMO a bit overhead to get 2 characters from source
code. I have to add that I can't safely tell which of all script tags
will contain the variable as the included scripts change from time to
time and may differ for each page.
Right now, as far as we know, there is not. In the past there
definitely was [2]. Are we perfect and able to predict every
vulnerability? No.
I don't intend to sue you based on what you say now in case it does not
apply for the next 3 years. ;)
Before I read the article about unsafeWindow and all the examples, I
couldn't even imagine how to hijack GM at all. I asked here because I
thought that I'm maybe just too inexperienced and might not see a risk
because I don't know about some vulnerabilities. Actually, this already
applied, because although I understand how the hijacking in link [2]
works, I had never though about that because I didn't know there's
something like "window.__defineGetter__".
I'm making scripts just for me to make my life easier. However I don't
want to make my scripts "quick and dirty" because if they are working
well I'm intending to publish them.
At the very least, pages are definitely able to lie about the values you
access, to confuse/break your script.
It's only used on one domain and nearly all its pages. That domain is
100% trusted (lyrics.wikia.com, I'm one of the admins there). Hence I
don't think they'll fool or hijack GM-scripts, and even if they fooled
the value, as the script is just trying to determine the default
language, that's not too bad. If the determined language is not
available as l10n of my script, it'll use English anyway until you
change it to something else that is available in the script's settings.
Thanks for your reply, Chris
--
You received this message because you are subscribed to the Google Groups
"greasemonkey-users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/greasemonkey-users?hl=en.
