2lmc spool


not cuddly at all


Ars Technica on a Safari shell script vulnerability


blech:

Ars Technica on a Safari shell script vulnerability


posted on 2006/02/21 13:50

 

This first emerged yesterday or so on the site of German site heise.de, itself translating the work of Michael Lehn.


 

The basic gist is that it's (another) flaw with Safari's "Execute 'safe' files after downloading option", which is (stupidly, if you ask me) on by default.


 

Shell scripts with a shebang line are (correctly) regarded as applications, triggering a prompt before opening, but ones without aren't.


 

If you deliver such a script in a post-10.3 zip file, along with Finder metadata, you can do something very sneaky:


 

although the script contains metadata in the form of a Terminal type/creator code, the .jpg or .mov extension causes Safari to treat it like a safe file

 

Eric Bangeman doesn't go on to really delve into this shear in the behaviour of applications and the OS, but I'd hope someone like Gruber or Siracusa can pipe up about how dumb it is that parts of the OS (I'm thinking of Launch Services here) use type/creator as well as extension when determining what to do with files, while applications end up doing completely the wrong thing.


 

I'm tempted to be nostalgic for the good old days of Mac OS 9, where extensions were used once, for incoming files, to set the type/creator codes that were then used all the time.


 

[ 0 days, 2 hours later ]


 

Sigh.


 

There's more about this on SANS, but the more I think about it the more it strikes me that this is a flaw that's always existed.


 

It's always been possible to conceal an application (GUI (although not a Cocoa bundle, I think) or shell) as a JPG (or movie) using a combination of renaming and a custom icon. The only difference is that since 10.3 (for two years, if you prefer) you've been able to deliver such files in zip archives (as opposed to Stuffit archives, which were needed for reliable metadata preservation before that).


 

Unless I'm forgetting or misreading something, anyway. Which is possible.


 

Anyway, to my mind the big problem is still Safari treating a shell script as safe based on a combination of its extension and missing shebang line. Certainly neither Camino nor Firefox share this flaw.


 

Both frankie on the Slashdot discussion and John Siracusa in the Ars Technica discussion argue that "remote" metadata needs to be ignored (although Siracusa suggests domains, so that metadata is still honoured if it's yours.


 

Later in the discussion, "blukens" says


 

the default icon for a file seems to be determined solely by the extension/type/creator, and not the application that will actually open it

 

Um, that looks like a bit of a bad decision right there. Um.



DISCLAIMER

We hate you all. Yes, especially you. Sod off and DIE