[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

URI handling as the harbinger of interaction errors

Throughout this whole discussion on URI handling and IE, let's not
forget that:

1) ANY technology that uses "handlers" that pass commands and
   arguments from one process to another, is likely to have these
   kinds of issues.  Web browsers are just the first to get this kind
   of attention.  All products that support plugins, whether web-based
   or not, should be examined for this type of problem.

2) Programs that were formerly assumed to be safe because they were
   only ever intended to be invoked by a single user, will now become
   unsafe if they're referenced in a handler.  Think second-order
   symlink issues as one example, or buffer overflows in command-line
   arguments for non-setuid programs that are likely to be used in
   handlers (image converters, anyone?)

3) These kinds of interaction errors, when disclosed, will probably
   continue to generate widespread debate.  It's the nature of
   interaction errors that either side could be "blamed."

4) The best currently feasible solution is likely to require that the
   invoking process stricly enforces which arguments it passes to the
   invoked process.  It should be obvious that string-based command
   construction is too risky.  Also, the invoked process might have a
   default mode of operation that disallows arguments that might be
   especially dangerous.  This will likely break legitimate
   functionality that's in active use, so adoption of such solutions
   will be slow.

5) As technologies become more integrated, we're likely to see more
   reports like this.

- Steve