Re: URI handling as the harbinger of interaction errors
* Steven M. Christey:
> Throughout this whole discussion on URI handling and IE, let's not
> forget that:
>
> 1) ANY technology that uses "handlers" that pass commands and
> arguments from one process to another, is likely to have these
> kinds of issues. Web browsers are just the first to get this kind
> of attention. All products that support plugins, whether web-based
> or not, should be examined for this type of problem.
Uh, the "first" part is not quite true. There was some discussion about
mailcap entries, and whether you should use %s or '%s' at some time in
the 90s.
> 2) Programs that were formerly assumed to be safe because they were
> only ever intended to be invoked by a single user, will now become
> unsafe if they're referenced in a handler. Think second-order
> symlink issues as one example, or buffer overflows in command-line
> arguments for non-setuid programs that are likely to be used in
> handlers (image converters, anyone?)
Again, we have been though this with *roff, Ghostscript (and its various
front ends), DVI viewers and TeX itself, and many more (and the classic
"unshar", of course). It's just another round on a different operating
system.
Image viewers are particularly interesting because even if your favorite
and bug-ridden MIME types like image/gif are handled by a (supposedly
patched) mail/web client, chances are that the image viewer recognizes a
GIF image even if it is declared as image/x-xwindowdump, exposing its
vulnerable GIF code.