[Tizen Application-dev] Executing shell command

Carsten Haitzler (The Rasterman) tizen at rasterman.com
Tue Mar 27 00:30:17 GMT 2012


On Mon, 26 Mar 2012 11:34:24 -0700 "Pierce, Dean E" <dean.e.pierce at intel.com>
said:

> My first thought :
> "Oh god I hope not."
> 
> My second thought:
> "Wouldn't that be insane if someone actually did that?"
> 
> My third thought:
> "I really hope someone isn't in their cube right now trying to
> implement this as a surprise feature for the next release."
> 
> Allowing any context the ability to go from javascript to shell is a
> terrifying idea.  Microsoft tried it once, and they are still trying
> to get that monster back in the box (ActiveXObject('WScript.Shell')).
> Remember that the nature of HTML allows attackers to create new
> iframes in arbitrary uncontrolled contexts.  There are multiple ways
> for attackers to impersonate domains and assume the rights of various
> applications.  If my talk at the tizen conference gets accepted, I
> will be talking about this in detail.

actually it depends. if you have locally installed "web apps", then this would
allow the app to be a first-class-citizen along with the abilities of native
apps. this js function would ONLY work if your app was installed locally (and
had appropriate security clearance - e.g. on install it requested such
capabilities and you agreed). as such the intent of using html5 for apps is to
have them work and behave like native apps would.

-- 
Carsten Haitzler (The Rasterman) <tizen at rasterman.com>


More information about the Application-dev mailing list