> On 10 Feb 2016, at 12:22 PM, Jens Alfke <j...@mooseyard.com> wrote: > > It’s to display the release notes, which come from an RSS entry in the feed > and are in HTML format. And Sparkle had a couple of bugs relating to that: > (a) the WebView was configured to allow JavaScript, and (b) their delegate > handled navigation requests to file: URLs by sending them to the Finder. This > meant that a malicious feed entry could run a script to download some malware > and then tell the Finder to launch the downloaded malware installer. >
Got it, so the signing aspect is irrelevant. Already updated to use https, but of course the problem is that in itself requires a Sparkle update… —Graham _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
