Re: NSSecureCoding & NSAttributedString
FYI, you can define your own attributes using your own keys and values not defined by the frameworks, and the frameworks will ignore them from the standpoint of drawing. In one app, I used an attribute to add a time stamp to a run of text and overrode the glyph drawing so that when my code saw that attribute, it would draw an appropriate border around the entire run. I didn’t have a need to send that attributed string to other apps, but if I did, I would hope my custom attributes would be preserved round-trip provided the run was preserved. -- Gary L. Wade http://www.garywade.com/ > On Feb 18, 2018, at 2:26 PM, Quincey Morris >wrote: > > I dunno. I always though of the attributes as something extensible, but I > guess they’re not really. (They can’t be, in NSAttributedString is an > interchange format between apps.) Looking at the documented list, I would be > worried about NSTextAttachment, which isn’t even documented as conforming to > NSSecureCoding. Those NSAccessibility… keys don’t look too safe either. ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: NSSecureCoding & NSAttributedString
On Feb 18, 2018, at 14:27 , Markus Spoettlwrote: > > yet this works (don't know why) I did this in Swift (so I could use a playground): > print (NSTextTab.self.conforms (to: NSSecureCoding.self)) // true > print (NSTextList.self.conforms (to: NSSecureCoding.self)) // true > print (NSShadow.self.conforms (to: NSSecureCoding.self)) // false ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: NSSecureCoding & NSAttributedString
On 2/18/18 23:01, Markus Spoettl wrote: As for additional NSAttributeString "companion" classes, I'm still open for suggestions. Sure enough I found other pulprits: NSTextList and NSShadow. According to the header, NSTextList does not conform to NSSecureCoding, yet this works (don't know why). However the decoder stops playing nice with NSShadow, which also doesn't conform to NSSecureCoding. For testing I copy/pasted complex web pages from the browser into my text field and tried loading that. First from Firefox (which brought in NSTextList) then from Safari which added NSShadow. I'm sure there are other problem cases still hiding but given that it's so easy to produce an NSAttributedString that will blow up on loading I can bury any hope this will work eventually. Ever. Thanks for listening :) Regards Markus -- __ Markus Spoettl ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: NSSecureCoding & NSAttributedString
On Feb 18, 2018, at 14:01 , Markus Spoettlwrote: > > Arrays are easy to enforce but dictionaries are really a weak spot. For > starters you can't define which classes are acceptable as keys and which as > values. What if you have collection classes as values, what layout is > acceptable in sub-entries? None of that is expressible. Arrays aren't safe from structural attacks, I think. There’s no way of expressing an array of *only* some element class — an actual element that is an array of the stated element class will pass the global check. > As for additional NSAttributeString "companion" classes, I'm still open for > suggestions. I dunno. I always though of the attributes as something extensible, but I guess they’re not really. (They can’t be, in NSAttributedString is an interchange format between apps.) Looking at the documented list, I would be worried about NSTextAttachment, which isn’t even documented as conforming to NSSecureCoding. Those NSAccessibility… keys don’t look too safe either. At this point, though, I don’t trust myself to reason about what’s safe and what’s not. ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: NSSecureCoding & NSAttributedString
On 2/18/18 22:02, Quincey Morris wrote: On Feb 18, 2018, at 10:30 , Markus Spoettl> wrote: The decoder isn't terribly concerned with where the individual classes will occur, just that they might. I was going to reply that it’s stupid that it behaves like this, but I guess it makes some sense after all. The secure coding protection against class substitutions can be global like this, since class identities are global in the archive. Still, you should probably assert “[notes isKindOf: [NSAttributedString class]]” immediately after that decode. Maybe I’m overthinking it, but I’d worry that your workaround enables some other kind of attack. For example, without the check, a maliciously-crafted archive that cause “notes” to be a NSTextTab could potentially crash your app, and that in turn might open up a vulnerability. Yes, I have an NSCoder extension that does exactly that. You also need to consider collections and dictionaries especially. Arrays are easy to enforce but dictionaries are really a weak spot. For starters you can't define which classes are acceptable as keys and which as values. What if you have collection classes as values, what layout is acceptable in sub-entries? None of that is expressible. I can appreciate the technical challenge retro-fitting secure coding into the existing architecture, but what it is right now sure feels like an absolutely bare minimum approach. As for additional NSAttributeString "companion" classes, I'm still open for suggestions. Best Regards Markus -- __ Markus Spoettl ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: NSSecureCoding & NSAttributedString
On Feb 18, 2018, at 10:30 , Markus Spoettlwrote: > > The decoder isn't terribly concerned with where the individual classes will > occur, just that they might. I was going to reply that it’s stupid that it behaves like this, but I guess it makes some sense after all. The secure coding protection against class substitutions can be global like this, since class identities are global in the archive. Still, you should probably assert “[notes isKindOf: [NSAttributedString class]]” immediately after that decode. Maybe I’m overthinking it, but I’d worry that your workaround enables some other kind of attack. For example, without the check, a maliciously-crafted archive that cause “notes” to be a NSTextTab could potentially crash your app, and that in turn might open up a vulnerability. ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: NSSecureCoding & NSAttributedString
On 2/18/18 06:12, Quincey Morris wrote: On Feb 17, 2018, at 20:34 , Glenn L. Austinwrote: Or encode/decode them using Coding, then encode/decode the resulting encoded attributed string data using SecureCoding. Markus already said that archives exist with normally-encoded attributed strings, so that precludes changing the archive format in the way you say. But that does suggest a partial alternative. In the object that decodes the attributed string, Markus can turn “usesSecureCoding” off for that decode only (in the coder object, which has this property defined). This won’t be secure against attacks via the objects *in* the attributed strings, but it would protect the rest of the archive. As a security precaution Turning off requiresSecureCoding once it is turned on causes an exception, so that's not an option. I have now gotten it to work simply by decoding the attributed string like this: NSSet *allowed = [NSSet setWithObjects:[NSAttributedString class], [NSTextTab class], nil]; notes = [[decoder decodeObjectForClasses:allowed] retain]; The decoder isn't terribly concerned with where the individual classes will occur, just that they might. Of course that doesn't mean that it will work generally speaking, just for my special case. I don't mind adding more allowed classes there, any ideas what else I (or rather my users) might encounter? Regards Markus -- __ Markus Spoettl ___ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com