[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: Re: kdegraphics/kpdf/kpdf [POSSIBLY UNSAFE]
From: Frans Englich <frans.englich () telia ! com>
Date: 2004-09-14 20:28:16
Message-ID: 200409142028.16955.frans.englich () telia ! com
[Download RAW message or body]
On Tuesday 14 September 2004 20:07, Albert Astals Cid wrote:
> A Dimarts 14 Setembre 2004 22:01, David Faure va escriure:
> > On Tuesday 14 September 2004 21:56, Albert Astals Cid wrote:
> > > What problem do you have with it?
> > >
> > > I ask something along the lines of
> > >
> > > "Do you want to execute %1" where %1 is the command plus the arguments
> > >
> > > I don't see any problem with that. Is the user who decides if he wants
> > > to execute the program or not.
> >
> > And what should my mother answer to "Do you want to execute rm -rf $HOME"
> > ?
>
> Everybody should know he has to answer no to something he does not
> understand, it is a basic computers knowledge.
>
> > You have not answered "there is no legitimate use for this feature". Why
> > should a PDF run any kind of command on my system, even after asking me??
>
> No idea.
>
> So you are all basically saying that having a program that follows pdf
> specification is bad?
I don't think we should paint it in black and white, and I agree that the
security implications are too heavy.
On the subject of dumping down, it's not too much asked that using the
computer, such as viewing documents, should not require hacker skills to be
safe. And if there's no legitimate reasons.. A similar discussion was about
KControl's root module loading; a command line expression can only be
interpreted by a very small part of the userbase, and even then, it is very
easily obfuscated.
Cheers,
Frans
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic