One scenario where this would be useful is in a local client/server environment, where Mosaic is used as a front end to a number of other applications -- a document could explain what various applications do, and hyperlinks would cause the applications to be launched on the local machine.
As of Mosaic 2.0 prerelease 4, this is now possible. This opens up a number of questions and security concerns, and this document attempts to address both.
application/x-csh; csh -f %s
application/x-csh
. (Or, an entry could be placed in a user or system
extension map
to associate extension
.csh
with type
application/x-csh
, and a document
foo.csh
could be accessed on the local filesystem or on an FTP server.)csh -f
will be used as the "viewer" for the document, which means the shell script -- whatever it happens to contain -- will be executed on the client's host.
As an example, if you have the above
mailcap
entry in place, the following hyperlink will start up
/usr/bin/X11/xclock
on your host:
application/x-csh
or anything similar in the default settings,
this is not a security hole
unless
you specifically modify your config files to make it so.
However, as soon as you add the entry for
application/x-csh
as above to your user or system
mailcap, you have a security hole. A malicious information provider (anyone running a server) could construct a dangerous shell script referenced by an innocuous hyperlink in one of his/her documents, and you could click on it and cause it to be fired off
on your system
without realizing what's going on.
application/x-csh
(and similar) documents; the utility program will do the following:
csh
if the user selects "Yes".Such a program doesn't exist yet; we may write it. (The assumption does exist, however, that the user is qualified to judge on the fly whether a given shell script is safe to run.)
Note:
The following shell script,
safecsh
, is one possibility; it uses a semi-standard X utility called
xmessage
to display any encountered
csh
scripts and query the user.
#!/bin/csh -f xmessage -buttons "Execute this file,Cancel" -file $1 if ($status == 101) then csh -f $1 endifThanks to friendly user Michael Frank for the suggestion.
foobar/236454531154
) as the signifier for a shell script on both the client and server side. This means that your client will not execute shell scripts on other sites of type
application/x-csh
or anything similar, but will execute shell scripts coming off your own server as your special type.
But, were a person with malice in his/her heart to take a close look at your server and see that it's serving shell scripts as type
foobar/236454531154
, he/she could then construct a bomb on his/her server by using exactly that type, and you could get hit while browsing the net. The only way to get around this is to prohibit off-site accesses (or use some even tighter method of control). We are adding such capabilities to NCSA httpd, and other servers may either already have or will soon have such capabilities.
application/x-csh
and the like are used. If Mosaic in such a state is only used to access local, approved files that are known to be safe, then you won't get your filesystem nuked just by browsing the net. (Maybe make a shell script, e.g.
xdangerousmosaic
, that fires up Mosaic with a different
globalTypeMap
resource setting, to make this explicit.)