[ANN] A 6 MB SqueakPlugin.image

Andreas Raab andreas.raab at gmx.de
Tue Jun 6 10:26:40 UTC 2006


Michael Rueger wrote:
> The SqueakPlugin.image is also set so that downloading any file from the 
> web turns on secure mode, restricting access to your file system to the 
> safe directory (see above). "Normal" image don't have that, so if 
> somebody knows/guesses you have the Squeak3.8 image somewhere on your 
> filesystem they might build a squeak project launching page that guesses 
> a location in your filesystem and then executes something nasty.

Worse than that: If you allow an absolute location, all some code needs 
to do is to download an image into the accessible location and once 
done, redirect the browser to a page that refers to that location (via 
argument). No guessing necessary, this works simply and direct.

Cheers,
   - Andreas



More information about the Squeak-dev mailing list