[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    Re: kdegraphics/kpdf/kpdf [POSSIBLY UNSAFE]
From:       George Staikos <staikos () kde ! org>
Date:       2004-09-14 20:01:22
Message-ID: 200409141601.22426.staikos () kde ! org
[Download RAW message or body]

On Tuesday 14 September 2004 15:56, Albert Astals Cid wrote:
> > > There are links in pdf that contain a command and some parameters (i
> > > have no pdf with that, but is what i get from reading the xpdf code),
> > > in case the user agrees to execute the command + parameters i execute
> > > them using system (again is what xpdf does)
> >
> > I don't think it's a good idea to copy that feature. It's a wide open
> > invitation for worms/viri to entice users to run all kinds of creative
> > crap and there is hardly any legitimate use for such feature. Please
> > leave it out.
>
> What problem do you have with it?
>
> I ask something along the lines of
>
> "Do you want to execute %1" where %1 is the command plus the arguments
>
> I don't see any problem with that. Is the user who decides if he wants to
> execute the program or not.

  If you want to start with two reasons:
1) The user doesn't always know what the real implications of a command are, 
even if it doesn't look bad.
2) The command could be obfuscated or contain control characters of various 
sorts that make the messagebox deceptive.

-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/
[prev in list] [next in list] [prev in thread] [next in thread]