Re: (in)SECURITY: mozilla-bonobo

From: Jean Bréfort <jean brefort ac-dijon fr>
To: Fabio Gomes <bugtraq gs2 com br>
Cc: Christian Glodt <chris mind lu>, gnome-devel-list gnome org
Subject: Re: (in)SECURITY: mozilla-bonobo
Date: 05 Dec 2003 20:06:41 +0100

Le ven 05/12/2003 à 13:01, Fabio Gomes a écrit :
> > 2a. Instead of adding a flag, use the "bonobo:supported_uri_schemes" oaf attribute.
> >     This way, one can limit the used components to those that advertise that they
> >     handle the protocols (http(s)/ftp) that are used to transfer files on the net.
> >     Supposedly components that are aware of those protocols would also handle
> >     untrusted data.
> > 
> Great. This wold solve the problem.

May be it solves the problem, but most components do not advertise this
attribute. I searched which actually do. The list is quite short:
several Nautilus components, fontilus and File_Roller, none of which
being used by mozilla-bonobo or has http or ftp as content. 

I do not understand why a plugin should support http or ftp. I have
written a light BonoboControl which I use to replace (with very limited
scope) the chime plugin. It just displays a 3d molecular structure and
this is not unsecure AFAIK. If it does not work anymore with
mozilla-bonobo, I'll have to write the whole plugin code. I cannot see
any reason for me to add http or ftp support.

So, I think we should find a better solution or we'll have to forget
about mozilla-bonobo as Fabio Gomes wrote :-(

Regards,

Jean

Follow-Ups:
- Re: (in)SECURITY: mozilla-bonobo
  - From: Fabio Gomes

References:
- Re: (in)SECURITY: mozilla-bonobo
  - From: Christian Glodt
- Re: (in)SECURITY: mozilla-bonobo
  - From: Fabio Gomes

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]