Full Disclosure mailing list archives
Re: shell:windows command question
From: Darren Reed <avalon () cairo anu edu au>
Date: Fri, 9 Jul 2004 01:38:02 +1000 (Australia/NSW)
In some mail from Barry Fitzgerald, sie said:
Darren Reed wrote:A simple solution would be to add the shell protocol to this list. Personally I think a secure blacklist is hard to maintain as new dangerous external protocols could be invented by third-parties leaving Mozilla vulnerable again.Completely agreed. There should be a whitelist, not a blacklist... a safe protocols list.And what would happen? Nobody would configure anything but those. And what would happen next? People would find ways to put their "new stuff" inside the "safe ones". Kind of like how "http" is declared safe (but is it really??) and so every man and their dog tunnels their proprietary stuff through that because it'll go through firewalls.And you're suggesting that allowing local protocols to run local code per the background call of a website is better?
I'm not suggesting anything other than what I said. Darren _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: shell:windows command question, (continued)
- Re: shell:windows command question Andreas Sandblad (Jul 07)
- Re: shell:windows command question Barry Fitzgerald (Jul 07)
- Re: shell:windows command question Komrade (Jul 07)
- Re: shell:windows command question Eric Paynter (Jul 07)
- Re: shell:windows command question Xavier Beaudouin (Jul 08)
- Re: shell:windows command question Barry Fitzgerald (Jul 07)
- Re: shell:windows command question Andreas Sandblad (Jul 08)
- Re: shell:windows command question Andreas Sandblad (Jul 08)
- Re: shell:windows command question Barry Fitzgerald (Jul 08)
- Re: shell:windows command question Darren Reed (Jul 08)
- Re: shell:windows command question Barry Fitzgerald (Jul 08)
- Re: shell:windows command question Darren Reed (Jul 08)
- Re: shell:windows command question Andreas Sandblad (Jul 07)