[Tizen Application-dev] Executing shell command

Carsten Haitzler (The Rasterman) tizen at rasterman.com
Tue Mar 27 00:30:17 GMT 2012

On Mon, 26 Mar 2012 11:34:24 -0700 "Pierce, Dean E" <dean.e.pierce at intel.com>

> My first thought :
> "Oh god I hope not."
> My second thought:
> "Wouldn't that be insane if someone actually did that?"
> My third thought:
> "I really hope someone isn't in their cube right now trying to
> implement this as a surprise feature for the next release."
> Allowing any context the ability to go from javascript to shell is a
> terrifying idea.  Microsoft tried it once, and they are still trying
> to get that monster back in the box (ActiveXObject('WScript.Shell')).
> Remember that the nature of HTML allows attackers to create new
> iframes in arbitrary uncontrolled contexts.  There are multiple ways
> for attackers to impersonate domains and assume the rights of various
> applications.  If my talk at the tizen conference gets accepted, I
> will be talking about this in detail.

actually it depends. if you have locally installed "web apps", then this would
allow the app to be a first-class-citizen along with the abilities of native
apps. this js function would ONLY work if your app was installed locally (and
had appropriate security clearance - e.g. on install it requested such
capabilities and you agreed). as such the intent of using html5 for apps is to
have them work and behave like native apps would.

Carsten Haitzler (The Rasterman) <tizen at rasterman.com>

More information about the Application-dev mailing list