Martin Read wrote: > Javier Fernandez-Sanguino Pen~a writes: > > Xswallow is a plugin for Netscape that allows ANY X-based application > > tu run inside Netscape. This allows you to run a VRML browser > > (vrwave,vrweb..) or > > a midi application inside Netscape without having to expressely save to disk > > and then run it aside. It works with <EMBED> tags and /etc/mime.types. > > This sounds distressingly like a serious security hole - unless it refuses > requests resembling "xterm -e foo". It's not quite as bad as "xhost +", > I'll admit, but it does sound like a major risk nevertheless.
I don't know...I think it would really depend on how it is implimented...as I remember the embed tag itgoes like this: <EMBED src="filename" hieght=xx width=xx> I supose if it was pointed at a cgi rather than a file...and the cgi gave it a specific mime type it could be interpreted and run an aplication such that it would do something nasty/....but how is this differnt from a mail program that uses mime types? IMHO if a program will accept a file on its command line and then do something nasty (ie replace/delete files) without any user interaction...then maybe the security violation is listing it in mime types in the first place > > I have tried it with Netscape 3.0 and 4.0b5 (not with Mozilla yet :( ) > > it can be found as a RedHat package so I intend to use this first for the > > first release. BTW it is GPL'd. SOunds great to me :) can't wait to try it-Steve -- PGP Key at: http://www.gis.net/~sjc/pgp.asc (BTW Thanx allot Noah for pointing out why putting my pgp key here was a bad idea...now I hafta find a new funny quote or something for here) "Ummm, me make *one* change. Stone hot so me soak in stream so stone not burn Lorto hand. Small change, shoul dnot keep Lorto from make Fire." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
