home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!paladin.american.edu!howland.reston.ans.net!wupost!emory!ogicse!das-news.harvard.edu!cantaloupe.srv.cs.cmu.edu!crabapple.srv.cs.cmu.edu!andrew.cmu.edu!sean+
- From: sean+@andrew.cmu.edu (Sean McLinden)
- Newsgroups: comp.lang.tcl
- Subject: Re: Insecurity of tk
- Message-ID: <UfC5fTm00WBKE1_WBc@andrew.cmu.edu>
- Date: 23 Dec 92 02:26:07 GMT
- Article-I.D.: andrew.UfC5fTm00WBKE1_WBc
- References: <1992Dec22.212801.6306@twg.com>
- Organization: Carnegie Mellon, Pittsburgh, PA
- Lines: 21
- In-Reply-To: <1992Dec22.212801.6306@twg.com>
-
- >The authorisation stuff fiddled with by xhost should close this pretty
- >well but I wonder how many people actually use it? I sure don't since
- >1) my workstation is pretty well isolated to TWG's network and 2) it has
- >the appearance of being a lot of trouble to set up. I don't know if it
- >really is hard to set up and surely haven't looked into it.
- >
- >What are others' thoughts?
-
- The same is true for any client application running on an insecure X
- server so "fixing" it for tk would probably not buy you much. Security
- can be handled by lower layers (e.g. X, itself) and probably should be
- handled there rather than loading up tcl/tk to do it.
-
- A, potentially, bigger security concern is that it seems pretty obvious
- that a slick MIME interface could be written to allow tcl/tk scripts to
- be used as interactive mail. The CMU Andrew project did just such a think
- with Atk and, later NESS. The difficulty lies in having an interpreter which
- can detect potential security problems before running the application or which
- could run the application in a secure mode so that you don't have people
- sending
- Trojan horses to each other.
-
