Has this any security implications?
It's certainly not worse than [pdcontrol] whose "browse" method
basically allows to run arbitrary executables. A Pd project could
contain a malicious binary (disguised as a WAV file) which is
automatically run when you open the main patch - without you ever noticing.
Generally, every single external is a potential security risk since it
contains arbitrary code. Maybe [zexy] contains a backdoor for the NSA,
who knows?
Christof
On 31.08.2021 13:05, IOhannes m zmoelnig wrote:
On 8/31/21 12:38 PM, Ingo Stock wrote:
Looks great!
Has this any security implications?
sure.
if the user is allowed to overwrite "C:\Windows\system32\rundll32.exe"
they could inject malicious code.
or delete that file.
however, if they are allowed to overwrite that file, they can already
replace it with the contents of a WAV-file to bork the system.
so I don't think there are additional security implications¹.
Could this be used to attack other
computers?
*other* computers?
no, not really.
it provides an interface to your filesystem.
unless your filesystem lives on other computers, i don't see how you
could impact them.
gfmasdr
IOhannes
¹ i wonder whether it would be possible (with Pd>=0.42) to create a
patch that creates a gui-plugin on the fly.
if this is true, then you can already do everything that [file] allows
you to do - and much more.
gfmadsr
IOhannes
_______________________________________________
[email protected] mailing list
UNSUBSCRIBE and account-management ->
https://lists.puredata.info/listinfo/pd-list
_______________________________________________
[email protected] mailing list
UNSUBSCRIBE and account-management ->
https://lists.puredata.info/listinfo/pd-list
