Nah, using xgb-mime uninstall simply removes the actual software that changes the mime-types. Does nothing to remove the associations. As you say, delete the entry from the mimeapps.list and it will stop the association (after a re-boot that is).
My warning about hackers is that the action can execute a script. Depending on how your script is written it may be possible to have very unintended consequences with allowing scripts to be run direct from a URL. The changes of this happening are extremely low though as the hacker will need to know what mime type and protocol you chose. As to node.js, thats an whole 'nother kettle of fish. On Thursday, 28 January 2021 at 03:18:48 UTC Mark S. wrote: > Thanks Dragon for the reply! > > It doesn't work inside a node.js instance, but then I'm not sure it was > supposed to. It does work from TiddlyDesktop, so that's great! > > Re security, how do I back out these changes? It looks like maybe I just > have to delete a line from ./.config/mimeapps.list ?? Otherwise, all the > instructions talk about using xgb-mime uninstall, but I'm not sure that's > the same thing since I didn't use xgb-mime install in the first place. > > Also, if it can only be invoked from something like TiddlyDesktop running > as user, how would the hacker gain access? Also, if someone can write to my > drive and change the script, haven't I already been hacked? Just trying to > understand the issues. > > Many thanks again -- this was definitely not intuitive ! > > On Wednesday, January 27, 2021 at 10:47:15 AM UTC-8 [email protected] > wrote: > >> Welcome to the wonderful world of Security Vulnerabilities and >> Work-arounds. Don't worry, this is my job. >> >> OK, you need to register a new URL scheme handler. First create a Desktop >> Entry which specifies the mime-type. For example: >> >> [Desktop Entry] >> Type=Application >> Name=TW Bash Script >> Exec=twscript.sh %u >> StartNotify=false >> MimeType=x-scheme-handler/twscript; >> >> Note that the %u passes the URL (eg. twscript://parameters%20here ) as a >> single parameter, according to the Desktop Entry Specification. >> https://specifications.freedesktop.org/desktop-entry-spec/latest/ >> >> Once you have created this Desktop Entry and installed it (put it in the >> local system applications directory ( ~/.local/share/applications/ or >> /usr/share/application/ ) then you must register the application with >> the MIME type (assuming you had named your Desktop Entry twscript.desktop >> >> xdg-mime default twscript.desktop x-scheme-handler/twscript >> >> Any script can then be added to the twscript.sh (make sure it's >> executable of course) and you can parse parameters just as any other >> script. The script should be placed anywhere in your executable path >> ~/.local/bin for example. >> >> In the twscript.sh you'll have to add whatever parsing you need. You >> can't run separate scripts, but parameters are passed and can be checked >> and dealt with as appropriate. >> >> Now, when an application finds the URL twscript:// it knows exactly what >> to do with it. >> >> *WARNING! This will make your system vulnerable to anybody who knows the >> MIME type that you have used. They could create a script which would >> execute on your computer. I would advise against this, but there you go.* >> >> Have fun, >> >> Dragon. >> On Saturday, 23 January 2021 at 19:19:16 UTC Mark S. wrote: >> >>> Thanks for replying! It does have the correct shebang, and runs fine >>> from the command line. If I could include spaces in the file url, then I >>> could run "/usr/bin/sh /path/to/my/script.sh". But I I don't know how to do >>> that in a url line without converting to to %20 , which the OS wouldn't >>> understand. >>> >>> On Saturday, January 23, 2021 at 10:04:23 AM UTC-8 jwd wrote: >>> >>>> What you may be looking for is the correct "Shebang >>>> <https://en.wikipedia.org/wiki/Shebang_(Unix)>" line at the top of the >>>> script that determines the interpreter to use (assuming the executable bit >>>> has been set.) >>>> >>>> Typically I would use something like >>>> #!/usr/bin/env bash >>>> or, if you want to be specific >>>> #!/path/to/your/systems/bash >>>> >>>> The former will use the bash executable found first in the PATH of the >>>> environment of the TiddlyDesktop process; the latter would be preferred >>>> unless the script might run on systems where the path to the interpreter >>>> my >>>> differ, e.g., Macs have an old version of bash by default; while different >>>> Linux distributions' bash may be in /bin or /usr/bin. >>>> >>>> HTH >>>> On Friday, January 22, 2021 at 5:14:22 AM UTC-5 TiddlyTweeter wrote: >>>> >>>>> Ciao Mark S. >>>>> >>>>> I really looked into it. TBH I can't truthfully reply to your simple >>>>> question. >>>>> >>>>> Background: I using (mainly) Timimi to launch from TW (it is fairly >>>>> complex & now retired in the recent version); TiddlyDesktop (fussy, >>>>> mainly >>>>> because it is Chrome inside?); BobEXE (very flexible on scripting; best >>>>> of >>>>> the batch; but overkill for most of my limited needs). >>>>> >>>>> Outcome: too many variants to address your basic query simply. >>>>> >>>>> Best wishes >>>>> TT >>>>> On Monday, 18 January 2021 at 19:30:32 UTC+1 Mark S. wrote: >>>>> >>>>>> I don't suppose you remember if there was a way to insert spaces? A >>>>>> sh script should always know to run itself, but if I could specify >>>>>> "/usr/bin/bash ....myshellscript.sh " that should force the system to >>>>>> invoke it correctly. >>>>>> >>>>>> Thanks! >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/88420f5b-b181-42ba-ba79-f60e1bb8ec40n%40googlegroups.com.
