advertisement

Article:
  Build a Dashboard Widget
Subject:   Isn't that a bit dangerous?
Date:   2005-05-07 01:55:30
From:   KerryB
var commandLine =
"groff -mandoc -Tascii -P-b -P-c `man -w " +
document.getElementById('programName').value + "`| cat ";


I realise this isn't production code, and I may be missing something, but what happens if the user types something like foo;rm -rf $HOME into the command field?
Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • Isn't that a bit dangerous?
    2005-05-09 09:32:39  heyotwell [Reply | View]

    "I realise this isn't production code, and I may be missing something, but what happens if the user types something like foo;rm -rf $HOME into the command field?"

    More importantly, what prevents a *widget* from simply running that code on its own?
  • Isn't that a bit dangerous?
    2005-05-07 05:15:01  Andrew Anderson | [Reply | View]

    I guess it is dangerous, but it is no more dangerous than the user entering "rm -rf $HOME" in a command shell.

    Trapping for ";" would make it so a user could not run malicious programs, but since this Widget does not connect to the Internet and is run exclusively from the local machine by local users, the danger is no more than the same command being issued from the command-line.

    Do not get me wrong though, your point is excellent. This Widget happens not to connect to the Internet and does not do anything nefarious. As Widget's proliferate, the possibility of downloading one that does something bad will be pretty high. The good news is that we will have the source code to review, the bad news is we will have to review it. In other words "Downloader beware".
  • Isn't that a bit dangerous?
    2005-05-07 04:57:55  SanjayW [Reply | View]

    What prevents the user from typing the same command on Terminal? I guess the point is moot.
    • Isn't that a bit dangerous?
      2005-05-07 12:59:27  KerryB [Reply | View]

      What prevents the user from typing the same command on Terminal? I guess the point is moot.

      Yeah, I realised that after posting. I guess I've been spending too much time writing server side code!