[Tizen Application-dev] Executing shell command

Pierce, Dean E dean.e.pierce at intel.com
Mon Mar 26 18:34:24 GMT 2012


My first thought :
"Oh god I hope not."

My second thought:
"Wouldn't that be insane if someone actually did that?"

My third thought:
"I really hope someone isn't in their cube right now trying to
implement this as a surprise feature for the next release."

Allowing any context the ability to go from javascript to shell is a
terrifying idea.  Microsoft tried it once, and they are still trying
to get that monster back in the box (ActiveXObject('WScript.Shell')).
Remember that the nature of HTML allows attackers to create new
iframes in arbitrary uncontrolled contexts.  There are multiple ways
for attackers to impersonate domains and assume the rights of various
applications.  If my talk at the tizen conference gets accepted, I
will be talking about this in detail.

   - DEAN


More information about the Application-dev mailing list