How? The URLs passed are well known and static. It's not like we're passing content from a potential malicious server or other clients through the system call.Geoff the Medio wrote:That looks a bit unsafe / exploitable...
Copy/Paste
Moderator: Committer
- adrian_broher
- Programmer
- Posts: 1156
- Joined: Fri Mar 01, 2013 9:52 am
- Location: Germany
Re: Copy/Paste
Resident code gremlin
Attached patches are released under GPL 2.0 or later.
Git author: Marcel Metz
Attached patches are released under GPL 2.0 or later.
Git author: Marcel Metz
- Geoff the Medio
- Programming, Design, Admin
- Posts: 13603
- Joined: Wed Oct 08, 2003 1:33 am
- Location: Munich
Re: Copy/Paste
Exactly that could happen, if a player connects to a server with modified content files. Also, players can currently put markup into, for example, ship names, and these will be processed and turned into clickable links in sitrep messages. Markup is also processed by the messages window, but it doesn't turn them into links, although in future it probably could / should also be capable of showing clickable links.adrian_broher wrote:The URLs passed are well known and static. It's not like we're passing content from a potential malicious server or other clients through the system call.
Even if those particular "holes" are fixed, somehow without limiting functionality, others might be missed... and so I think it'd be safer to call something URL-specific (which I suppose can also be exploited if sending someone to a suitable website, but at least it's a bit safer than opening arbitrary files on the local system...)
- adrian_broher
- Programmer
- Posts: 1156
- Joined: Fri Mar 01, 2013 9:52 am
- Location: Germany
Re: Copy/Paste
You're moving goalposts here.
Would be nice to have links to freeorion.org or copyright text websites work from in-game.
Neither the COPYING file nor the freeorion url are fetched from the server.Geoff the Medio wrote:Exactly that could happen, if a player connects to a server with modified content files.
How is this internal mechanism even related to the links you want to handle?Also, players can currently put markup into, for example, ship names, and these will be processed and turned into clickable links in sitrep messages.
Resident code gremlin
Attached patches are released under GPL 2.0 or later.
Git author: Marcel Metz
Attached patches are released under GPL 2.0 or later.
Git author: Marcel Metz
- Geoff the Medio
- Programming, Design, Admin
- Posts: 13603
- Joined: Wed Oct 08, 2003 1:33 am
- Location: Munich
Re: Copy/Paste
I'm assuming links to websites in arbitrary text will be implemented with markup just like intra-pedia or sitrep-to-pedia type links.
Sitreps can contain player-written text (names), and after modifications Dilvish is working on now, arbitrary sitrep text could be sent without fetching from the client-side stringtable.
Sitreps can contain player-written text (names), and after modifications Dilvish is working on now, arbitrary sitrep text could be sent without fetching from the client-side stringtable.
Re: Copy/Paste
You can hardcode a whitelist of command patterns allowed (i.e. only URLs that point to freeorion.org - based sites). Or add it to client configuration.
https://github.com/mmoderau
[...] for Man has earned his right to hold this planet against all comers, by virtue of occasionally producing someone totally batshit insane. - Randall Munroe, title text to xkcd #556
[...] for Man has earned his right to hold this planet against all comers, by virtue of occasionally producing someone totally batshit insane. - Randall Munroe, title text to xkcd #556
Re: Copy/Paste
Seems like something along those lines should be safe enough.em3 wrote:You can hardcode a whitelist of command patterns allowed (i.e. only URLs that point to freeorion.org - based sites). Or add it to client configuration.
If I provided any code, scripts or other content here, it's released under GPL 2.0 and CC-BY-SA 3.0
- Geoff the Medio
- Programming, Design, Admin
- Posts: 13603
- Joined: Wed Oct 08, 2003 1:33 am
- Location: Munich
Re: Copy/Paste
I made a pull request attempting to implement the OpenURL function as suggested earlier. Testing would be helpful...
https://github.com/freeorion/freeorion/pull/318
https://github.com/freeorion/freeorion/pull/318