Michael Tsai
Sparkle Updater Vulnerability: http://mjtsai.com/blog/2016/02/02/sparkle-updater-vulnerability/ … #mjtsaiblog
Rosyna Keller
@mjtsai As most apps using sparkle don't Quarantine files they create, Gatekeeper is never invoked in the first place.
-
-
@rosyna Did anyone imply otherwise? -
@mjtsai I inferred it from "This seems like more of a WebKit vulnerability" -
@rosyna What I meant by that is, why is WebKit executing any non-JavaScript code? -
@mjtsai It's passing it to LaunchServices (as WebKit does for other protocol handlers). Quarantine normally prevents execution. -
@rosyna I get that, but I don’t understand why I would want my browser to be able to do that silently, especially via JavaScript. -
@mjtsai You wouldn't want your browser to. But you do want WebKit to be able to do so. It's used in app documentation. -
@mjtsai Well, you'd want WebView to do it. -
@mjtsai And WebViews have a method to change this behavior https://developer.apple.com/library/mac/documentation/Cocoa/Reference/WebKit/Protocols/WebPolicyDelegate_Protocol/#//apple_ref/occ/instm/NSObject/webView:decidePolicyForNavigationAction:request:frame:decisionListener …: that Sparkle overrode (https://github.com/sparkle-project/Sparkle/commit/70f6929ac766b404e8e0d28d5cbda7872dc2ee3f …) - Show more
-
-
-
@mjdrayton@mjtsai Yeah, some apps have Quarantined forced on them by the system (like Transmission) -
@mjdrayton@mjtsai That's if they don't manually enable quarantine, of course.
-
-
@mjtsai (if they were quarantined, Sparkle couldn't automatically launch the updated version)
Matthew Drayton
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.