> On May 18, 2020, at 11:51 AM, Mark Sutton wrote:
>
> On Mon, May 18, 2020 at 10:48:12AM -0700, John Ralls wrote:
>> Don't hijack threads, it's rude. Start a new one when you have a new
>> question.
>>
>> OFX Direct Connect is just like importing an OFX or QFX file downloaded from
>> your bank's website except that it will connect to the bank and get the OFX
>> file for you.
>
> I hope this does not seem like a hijack, but this discussion made me think
> I should ask a question that has been on my mind since Jan.
> What is the use profile of webkit in gnucash. I thought for some reason
> it only was used to render reports created by gnucash. ie. never interacts
> with foreign data. Is that correct? I wonder because of remote exploit-ability
> of versions prior to 2.26.3.
At least you changed the subject line, but I don't see why you didn't just
create a new message instead of replying to an unrelated one.
Yes, GnuCash uses webkit only for rendering reports and doesn't expose the
WebKit API to scripting, though a bad actor with privs to install arbitrary
files into a users directory could get WebKit to read a maliciously installed
file. On the other hand if a bad actor has that kind of access to your machine
there are probably less arcane ways cause trouble.
Regards,
John Ralls
___
gnucash-user mailing list
gnucash-user@gnucash.org
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
If you are using Nabble or Gmane, please see
https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
-
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.