Security for launching from URL
Ivan Krstić
krstic at solarsail.hcs.harvard.edu
Fri Jul 4 18:42:32 EDT 2008
On Jul 4, 2008, at 1:37 PM, Edward Cherlin wrote:
> My guess is that there is a way to secure the
> process, but it might require some extra effort beyond a software fix,
> like teachers whitelisting URLs for lessons. Or perhaps just
> whitelisting our Moodle instances. Signed lesson plans? At any rate,
> _not_ allowing random outside URLs to launch local activities and give
> them scripts to run.
Mainstream desktop OSes allow installed applications to register
themselves as handlers for particular URI schemes. The applications
are called when a URI under their handled scheme is invoked (such as
by clicking within a browser), and are passed the entirety of the
invoking URI, but no other information.
Assuming the invoked application treats the URI with no additional
trust, just as if it were entered from within the application, there
is no inherent security vulnerability to speak of. Issues would arise,
for example, if the application had a code path that performed
filtering or applied other restrictions to the URIs it used, but
failed to invoke that code path when an URI was passed from the OS
rather than being entered from within the application.
That said, the URI handler approach should be used sparingly. It's one
thing to allow starting an audio player by clicking an MP3 link in the
browser, and another to arbitrarily execute code (e.g. through an
execution environment such as Pippy or eToys) from a web page with a
single click. While Bitfrost is designed to mitigate the side effects
of arbitrary code execution, it's very unwise to make it trivial for
the user to trigger such execution unknowingly.
--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
More information about the Devel
mailing list