Re: (in)SECURITY: mozilla-bonobo

Le ven 05/12/2003 à 13:01, Fabio Gomes a écrit :
> > 2a. Instead of adding a flag, use the "bonobo:supported_uri_schemes" oaf attribute.
> >     This way, one can limit the used components to those that advertise that they
> >     handle the protocols (http(s)/ftp) that are used to transfer files on the net.
> >     Supposedly components that are aware of those protocols would also handle
> >     untrusted data.
> > 
> Great. This wold solve the problem.

May be it solves the problem, but most components do not advertise this
attribute. I searched which actually do. The list is quite short:
several Nautilus components, fontilus and File_Roller, none of which
being used by mozilla-bonobo or has http or ftp as content. 

I do not understand why a plugin should support http or ftp. I have
written a light BonoboControl which I use to replace (with very limited
scope) the chime plugin. It just displays a 3d molecular structure and
this is not unsecure AFAIK. If it does not work anymore with
mozilla-bonobo, I'll have to write the whole plugin code. I cannot see
any reason for me to add http or ftp support.

So, I think we should find a better solution or we'll have to forget
about mozilla-bonobo as Fabio Gomes wrote :-(



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]