Re: merge sensible-browser in xdg-open AKA how to select the best browser
Hi, I think we make clear our opinions, like they were clear on IRC; but the reason I started this thread is to have *others* opinions. On Sat, Aug 1, 2009 at 21:12, Bernhard R. Linkb...@pcpool00.mathematik.uni-freiburg.de wrote: * Sandro Tosi mo...@debian.org [090801 20:22]: x-o is just a glue around other too to try to identify the best candidate to open a file/URL. So there are 2 options: or is so damn wrong that it must be removed from the archive, I'm not claiming it is totally wrong. As I said I did not look at what it does. All I want to ask for: If you reinvent the wheel please make it at least round. Better learn from the wheels that were there before. It's really depressing to see the same security problems again and again and again. Ok, so are you going to help x-o be a better tool and fix those 'depressing' problems? or there must be a stronger reasoning to not merge s-b in x-o (even more that x-o already uses s-b) then *hypothetical* security problems. All I ask for is that you understand that you are about the change the relavant semantics of something security relevant, and act accordingly. What? all I'm trying to do is say hey man, if you need to open a url, do it with x-o as you've done with x-b. If a tool is using s-b, then even *now* calling x-o will do the right thing (using the preferred browser or calling s-b itself). If I want to open a URL, and I pass to x-o a file, then it's a user or a programming error, that should be fixed. I don't see a security problem here. Any anyhow, I fail to see any single proposal from you about how to actually *solve* this problem. My idea is to have just one single program to open a URL, and x-o is superior from a users POV (because it uses the preferred application not the one via alternatives, so decided by the maintainers). If you want to help out with this, you're welcome, but just criticize without proposing anything in opposition is quite pointless IMHO: - I see x-o being better for users, and since it already uses s-b (and both they do the same thing) so merging in one is nice to have - you say x-o is dangerous but then you say it's not that a problem (no bug report, for example) - you think that if I want to open a URL and I pass a file it's a fail of a tool - I proposed to have a reinforcing option (or a symlink s-b - x-o for example, so x-o can check $0 and act upon) to make x-o only trying to open a url with the parameter given (of course, if the maintainer accepts this) - it seems you don't want to help in making the tool better or improve the situation, but just shooting at me. Cheers, -- Sandro Tosi (aka morph, morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: merge sensible-browser in xdg-open AKA how to select the best browser
On Sun Aug 02 09:26, Sandro Tosi wrote: All I ask for is that you understand that you are about the change the relavant semantics of something security relevant, and act accordingly. What? all I'm trying to do is say hey man, if you need to open a url, do it with x-o as you've done with x-b. I think that most of these issues could be fixed with the addition of an xdg-browser, which only opens a web browser and nothing else. More integration between desktop environments and other parts of the system is always a good idea, so I'd encourage some integration between the two, whether it's replacing s-b with xdg-something or having s-b call xdg-something in a non-recursive fashion. - you say x-o is dangerous but then you say it's not that a problem (no bug report, for example) It's not a bug per-se, it's just that the security model between the two is different, and that's fine. However, to directly use x-o in the place of s-b would be to change the security model under the hood. This is bad because you get a disconnect between what people _expect_ can happen and what can _actually_ happen. Hence why I like the xdg-browser suggestion, which keeps the same semantics. Matt -- Matthew Johnson signature.asc Description: Digital signature
merge sensible-browser in xdg-open AKA how to select the best browser
Hi all, this comes from #539191 and the discussion that generated on #d-devel. With Clint (s-b maintainer) we seem to agreed that since: - xdg-open identifies the preferred browser the user selected in his DE environment (like Gnome, KDE, XFCE, etc) - s-b relies on alternatives, that might differ from users selection - xdg-open falls back to s-b in case it's not in a DE env we can merge the s-b code into x-o. Right when I was about to reassign the bug (with the above reasoning) I received a please don't. AFAIUI the main reasoning behind this requests is that x-o can also open files with the preferred application and not only URLs, and that can be a sort of security problem (for example x-o a malicious/dangerous file instead of a URL). But a reply from the originator is welcome to clarify it :) Honestly, I don't that problem (but it won't surprise anyone if I'm wrong) because it's something similar to double-click on a malicious/dangerous executable in a file manager, hence why I wanted to bring this to a wide audience. The questions are: - do you think that converge to x-o as the default way to open a browser is something interesting? (merging s-b into x-o) - do the addition of a --browser option to x-o (or a xdg-browser symlink to x-o and the latter to recognize the exec called and act accordingly) might be a solution to the above problem (if a problem exists)? Thanks for your feedback. Have fun, -- Sandro Tosi (aka morph, morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: merge sensible-browser in xdg-open AKA how to select the best browser
* Sandro Tosi mo...@debian.org [090801 17:55]: [ making sensible-browser a symlink to xdg-open] Honestly, I don't that problem (but it won't surprise anyone if I'm wrong) because it's something similar to double-click on a malicious/dangerous executable in a file manager, hence why I wanted to bring this to a wide audience. Please consider the following cases, which are usually considered security bugs: - some commercial mail program (you may guess one time which company wrote it), automatically played audio files attached to an email when opeing it. To determine it is an audio file it looked at the mime type, to play it the usual generic file opening code is used. You may guess one time what happens if such a file is called virus.exe. - The browser links (or one of its many derivatives) has a list of external programs for the different file types. When it is about to start and external program it shows what file and which content type (and I think which program) it is about to start. Sadly that default was for images not 'see image/png:%' and so on, but only 'see %'. As wine was registering itself as program to open windows executables with, people suddenly got wine starting up, when they thought they had only authorized starting an image. Even in the case of the file manager quoted above, I consider any program just calling xdg-open[2] with it as very likely a security problem. While users should not click on arbitrary stuff, they are usually shown a file-type of what they click on: some text in mail program's attachment list, an icon in a file manager and so on. Thus causing it to start something else[1] is not the fault of the user, but that of the program. The possible problem with changing sensible-browser I see: Currently sensible-browser is opening a browser. All browsers I have yet met only show html (with enough ugly things like javascript and plugins, but only what you also expose when surfing the net) or ask before starting an other program (or were told to never ask again). Thus it is quite thinkable that some program has some file downloaded it things is html and gives this file to s-b, which would not a problem now, but with xdg-open it likely could be. Hochachtungsvoll, Bernhard R. Link [1] one could argue no such list should contain possible harmful things, but especially with interpreters it is hard to be sure there is none left. [2] without giving the mime-type as some option I do not know xdg-open has got yet... -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: merge sensible-browser in xdg-open AKA how to select the best browser
Hi Bernhard, On Sat, Aug 1, 2009 at 18:41, Bernhard R. Linkbrl...@debian.org wrote: * Sandro Tosi mo...@debian.org [090801 17:55]: [ making sensible-browser a symlink to xdg-open] Honestly, I don't that problem (but it won't surprise anyone if I'm wrong) because it's something similar to double-click on a malicious/dangerous executable in a file manager, hence why I wanted to bring this to a wide audience. Please consider the following cases, which are usually considered security bugs: - some commercial mail program (you may guess one time which company wrote it), automatically played audio files attached to an email when opeing it. To determine it is an audio file it looked at the mime type, to play it the usual generic file opening code is used. You may guess one time what happens if such a file is called virus.exe. - The browser links (or one of its many derivatives) has a list of external programs for the different file types. When it is about to start and external program it shows what file and which content type (and I think which program) it is about to start. Sadly that default not always: iceweasel (just to name one) asks but you can skip that window clicking on a box. Maybe you can skip that check for the every file, didn't want to check. Even in the case of the file manager quoted above, I consider any program just calling xdg-open[2] with it as very likely a security problem. While users should not click on arbitrary stuff, they are usually shown a file-type of what they click on: some text in mail program's they are usually shown a file extension (quite different from the content of the file, if we consider a malicious situation) or an icon, and I think a malicious guy can fake the show the icon for the file algorithm. The possible problem with changing sensible-browser I see: Currently sensible-browser is opening a browser. All browsers I have yet met only show html (with enough ugly things like javascript and plugins, I tried iceweasel with png, pdf, txt and also a odt, and guess what, it opened it :) (end I was also surprised it opened the ooffice file in an embedded tab, nice to know ;) ). but only what you also expose when surfing the net) or ask before starting an other program (or were told to never ask again). Thus it is quite thinkable that some program has some file downloaded it things is html and gives this file to s-b, which would not a problem now, but with xdg-open it likely could be. So, I think that if you believe that x-o is so dangerous, you should file a grave bug against it and against all the applications that use it. But frankly I feel it too extreme. Anyway, have you look at x-o code? the file opening utility (because it seems that the main and only problem with this proposal) uses run-mailcap to open a file, the standard way to open a file or no? x-o is just a glue around other too to try to identify the best candidate to open a file/URL. So there are 2 options: or is so damn wrong that it must be removed from the archive, or there must be a stronger reasoning to not merge s-b in x-o (even more that x-o already uses s-b) then *hypothetical* security problems. Cheers, -- Sandro Tosi (aka morph, morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: merge sensible-browser in xdg-open AKA how to select the best browser
* Sandro Tosi mo...@debian.org [090801 20:22]: x-o is just a glue around other too to try to identify the best candidate to open a file/URL. So there are 2 options: or is so damn wrong that it must be removed from the archive, I'm not claiming it is totally wrong. As I said I did not look at what it does. All I want to ask for: If you reinvent the wheel please make it at least round. Better learn from the wheels that were there before. It's really depressing to see the same security problems again and again and again. or there must be a stronger reasoning to not merge s-b in x-o (even more that x-o already uses s-b) then *hypothetical* security problems. All I ask for is that you understand that you are about the change the relavant semantics of something security relevant, and act accordingly. to the rest of the mail: - The browser links (or one of its many derivatives) has a list of external programs for the different file types. When it is about to start and external program it shows what file and which content type (and I think which program) it is about to start. Sadly that default not always: iceweasel (just to name one) asks but you can skip that window clicking on a box. Maybe you can skip that check for the every file, didn't want to check. The browser links is not the browser iceweasel. Even in the case of the file manager quoted above, I consider any program just calling xdg-open[2] with it as very likely a security problem. While users should not click on arbitrary stuff, they are usually shown a file-type of what they click on: some text in mail program's they are usually shown a file extension (quite different from the content of the file, if we consider a malicious situation) or an icon, and I think a malicious guy can fake the show the icon for the file algorithm. Some filemanagers might have security problems. Being able to hide a security problem by another security problem does not reduce the problem. The possible problem with changing sensible-browser I see: Currently sensible-browser is opening a browser. All browsers I have yet met only show html (with enough ugly things like javascript and plugins, I tried iceweasel with png, pdf, txt and also a odt, and guess what, it opened it :) (end I was also surprised it opened the ooffice file in an embedded tab, nice to know ;) ). but only what you also expose when surfing the net) as I said: it's as dangerous as you already are otherwise. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org