On Tue, 2006-01-17 at 15:07 +0000, Lee McFadden wrote: > On 1/17/06, Cliff Wells <[EMAIL PROTECTED]> wrote: > > > > Really? How? The URI is hardcoded into the client application, so the > > only place to acquire potentially "unsafe" code is from the place where > > they acquired the original application. > > > > The URL is hardcoded, but the DNS isn't, nor is the hosts file, so a > malicious bit of software could modify how the client accesses that > url. However this is unlikely and it would have to target your > software specifically. Still, it's a consideration.
Yes, but this is the case for installing *any* software off the net, hence my position that it doesn't provide any new or novel means of bypassing security. It's no different than installing the patch du jour from Apple, Microsoft or Red Hat. Clearly things like SSL should be utilized to further minimize risk. Also, I'd like to point out that pushing XRC at a wxPython client falls a bit short of pushing actual Python code. XRC is fundamentally a markup system, so utilizing that portion of it at least is quite safe. Simply providing a button that says "Hack me" on it doesn't provide the client-side logic for doing so. In my particular application I *am* providing such a facility (also pushing live Python modules as zip files to the client), but I'm also taking the usual measures to prevent tampering. As an aside, if someone has enough access to tinker with your hosts file... well I doubt they need to sneakily install software at that point since they can clearly do whatever they like to your PC ;-) DNS is another matter, but again, that's what SSL is for. Regards, Cliff
