rgheck wrote:
What I wrote had nothing to do with why Bo chose to revert the
embedding code. It had to do with why, as I saw it, most developers
ended up disagreeing with the basic design. It is a fundamental flaw
if the mere possibility of unbundling files to arbitrary locations
*even within the document directory* leads to the possibility of
executing arbitrary code on the user's machine. I can easily construct
a file such that (on Linux), if you put the file in your home
directory, unbundle it, and then open the unbundled file, I can have
you execute any Python program I like. It'd take me a little more work
to figure out exactly what to do on Windows or Mac, as I don't use
them, but something similar would be possible there, too---with of
course much worse results on Windows than on Linux.
I don't recall seeing any solution to this problem proposed. And I'm
confident there is none. The only thing the exploit uses is, as I
said, the possibility of unbundling to arbitrary locations within the
document directory.
How does this exploit work?
On linux, someone could embed .bashrc as a "code sample" in a document, and
of course unbundling that could have interesting consequences.
But this seems fixable:
* Never overwrite an executable file - pop up an error message instead.
* Alle files written by unbundling is created non-executable
With no executable files written or changed, is there still a problem?
Helge Hafting
