[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Intent to package Xswallow

Martin Read wrote:

> Javier Fernandez-Sanguino Pen~a writes:
> >       Xswallow is a plugin for Netscape that allows ANY X-based application
> > tu run inside Netscape. This allows you to run a VRML browser (vrwave,vrweb..) or
> > a midi application inside Netscape without having to expressely save to disk
> > and then run it aside. It works with <EMBED> tags and /etc/mime.types.
> This sounds distressingly like a serious security hole - unless it refuses
> requests resembling "xterm -e foo".  It's not quite as bad as "xhost +",
> I'll admit, but it does sound like a major risk nevertheless.

I don't know...I think it would really depend on how it is implimented...as I remember
the embed tag itgoes like this:
<EMBED src="filename" hieght=xx width=xx>
I supose if it was pointed at a cgi rather than a file...and the cgi gave it a specific

mime type it could be interpreted and run an aplication such that it would do
something nasty/....but how is this differnt from a mail program that uses
mime types?
IMHO if a program will accept a file on its command line and then do something
nasty (ie replace/delete files) without any user interaction...then
maybe the security violation is listing it in mime types in the first place

> >       I have tried it with Netscape 3.0 and 4.0b5 (not with Mozilla yet :( )
> > it can be found as a RedHat package so I intend to use this first for the
> > first release. BTW it is GPL'd.

SOunds great to me :) can't wait to try it-Steve

PGP Key at: http://www.gis.net/~sjc/pgp.asc
(BTW Thanx allot Noah for pointing out why putting my pgp key here was
a bad idea...now I hafta find a new funny quote or something for here)
"Ummm, me make *one* change. Stone hot so me soak in stream so
stone not burn Lorto hand. Small change, shoul dnot keep Lorto from
make Fire."

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: