BugTraq
URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 05 2007 12:58PM
Juergen Schmidt (ju heisec de) (3 replies)
Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 09 2007 11:03AM
Andreas Lindenblatt (azrael solution de)
Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 09 2007 06:33AM
Andreas Lindenblatt (azrael solution de)
RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 05 2007 07:54PM
Roger A. Grimes (roger banneretcs com) (1 replies)
Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 06 2007 04:13PM
Thierry Zoller (Thierry Zoller lu) (2 replies)
RE: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 07 2007 01:30AM
Roger A. Grimes (roger banneretcs com)
Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 06 2007 04:43PM
Geo. (geoincidents nls net) (3 replies)
Re: URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 11 2007 12:48PM
Thierry Zoller (Thierry Zoller lu)
Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 06 2007 05:06PM
Thierry Zoller (Thierry Zoller lu) (3 replies)
Re: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 06 2007 06:52PM
Kurt Dillard (kurtdillard msn com) (1 replies)
Re: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype Oct 07 2007 01:40PM
Glynn Clements (glynn gclements plus com) (1 replies)
Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 08 2007 12:45AM
KJK::Hyperion (hackbunny s0ftpj org) (1 replies)
Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype Oct 09 2007 09:18PM
Thierry Zoller (Thierry Zoller lu)
Dear KJK,

KH> I repeat. Nowhere is said that ShellExecute (the default "run stuff"
KH> function) takes URLs.
Nowehere is determined that it does NOT take URLS.

You forget a consideration, an Important one in my opinion.
This is not straight forward ShellExecute(), it's a
shellexecute call to a Handler. This makes a world of difference
because you cannot tell what the handler does (at least you are not
supposed to).
I mean for example this one, the mailto: handler is defined
on my box I am writing from as :
[HKEY_CLASSES_ROOT\mailto\shell\open\command]
@="C:\\Programme\\The Bat!\\thebat.exe\" %1

As a thid party developer I am not supposed to know what that
application does as a third party developer I am not supposed to
collect every possible application on earth and test what stuff
I have to filter out to protect THAT application. Still with me ?

*I* think, normalistaion _in this particular case_ has to be done
by the function. Sorry my opinion.

--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus