Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

On Sat, 06 Oct 2007 12:43:16 EDT, "Geo." said:

If the application is what exposes the URI handling routine to untrusted
code from the internet, then it's the application's job to make sure that
code is trusted before exposing system components to it's commands, no?

I think that given a system service that says "I will handle a mailto: URI",
that a programmer can *reasonably* expect the following:

1) That it will be handed to a program that actually does e-mail, and not
a calculator. calc.exe hasn't *yet* followed the programming aphorism that
every program grows until it can read e-mail.

2) That said program can protect itself against overtly malicious input.

"When people pcp a chocky in their mouth, they don't expect steel bolts to
string out and pierce their cheeks" -- Monty Python.

Attachment: pgp0BwBC4O2Jt.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/