Re: URI handling as the harbinger of interaction errors

[Florian Weimer <fw () deneb enyo de>]

* Steven M. Christey:

> Throughout this whole discussion on URI handling and IE, let's not
> forget that:
>
> 1) ANY technology that uses "handlers" that pass commands and
>    arguments from one process to another, is likely to have these
>    kinds of issues.  Web browsers are just the first to get this kind
>    of attention.  All products that support plugins, whether web-based
>    or not, should be examined for this type of problem.

Uh, the "first" part is not quite true.  There was some discussion about
mailcap entries, and whether you should use %s or '%s' at some time in
the 90s.

> 2) Programs that were formerly assumed to be safe because they were
>    only ever intended to be invoked by a single user, will now become
>    unsafe if they're referenced in a handler.  Think second-order
>    symlink issues as one example, or buffer overflows in command-line
>    arguments for non-setuid programs that are likely to be used in
>    handlers (image converters, anyone?)

Again, we have been though this with *roff, Ghostscript (and its various
front ends), DVI viewers and TeX itself, and many more (and the classic
"unshar", of course).  It's just another round on a different operating
system.

Image viewers are particularly interesting because even if your favorite
and bug-ridden MIME types like image/gif are handled by a (supposedly
patched) mail/web client, chances are that the image viewer recognizes a
GIF image even if it is declared as image/x-xwindowdump, exposing its
vulnerable GIF code.