Fwd: Re: MIME changes

Andras Mantia amantia at freemail.hu
Wed May 14 10:19:41 EEST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 2003 May 14 05:24, Oswald Buddenhagen wrote:
> On Tue, May 13, 2003 at 11:51:51PM +0300, Andras Mantia wrote:
> > I think the problem is not that the user will see some garbage that
> > he/she doesn't understand. The problem is that non-text files may harm
> > the application behavior.
>
> that's major bull. fix the applications, not their input. if you can
> crash a text editor with some random binary data, you have a gorgeous
> security hole. note that kde applications can receive their data
> directly from the net, so this imposes a _real_ problem.
Ok, I partially agree. They shouldn't crash. I've tried it now with some 
editors loading an 29MB large executable:
- - KWrite: loaded but very slowly
- - KEdit: crashed
- - Quanta: no crash, but seems to be blocked
- - XEdit: loads almost instantly.

Take a look at KWrite and Quanta (they both use the same editor part). It 
seems that they don't crash, but either they are slow or extremely slow. I 
believe the reason is because they do advanced parsing. The editor part try 
to apply highlighting, Quanta tries to find XML tags in the document. Knowing 
if that the file is a binary those editor can just skip the advanced parsing.
>
> i'm more concerned about the data itself. crlf and tab conversion or
> trailing whitespace stripping are quite deadly to binary data.
Yes, I don't think it's wise to save a binary file after you have loaded in a 
text editor, especially if it does some kind of conversion.

> joe user confronted with a screenfull of garbage usually refrains
> from being a kde advocate, at least for some time. :)
> so while it should be possible to force applications to eat
> inappropriate input and they should handle it gracefully, it should be
> reasonably hard (read: non-obvious, e.g., from the command line or with
> an explicit "open with ..." entry) to trigger such situation.
>
> so i'm all for something like that x-kde-text or type inheritance or
> however it might be implemented. but that should not be used as an
> excuse for bad code ...
No it shouldn't be, but I think it makes sense to provide at least a warning 
to the user.  May it refer that the application is badly coded and may crash, 
or that his data may become unusable after saving...

Andras
>
> greetings

- -- 
Quanta Plus developer - http://quanta.sourceforge.net
K Desktop Environment - http://www.kde.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+we4NTQdfac6L/08RAitGAJ0ZQ+LjIIUwMXXO4tuoboS/RHactgCdGaGi
woQ7t5KkxNnDF3WQtPlDUTk=
=YSEx
-----END PGP SIGNATURE-----



More information about the xdg mailing list