[PD-dev] writing exploits in Pd (Re: [PD] [file])
Antoine Rousseau
antoine at metalu.net
Tue Aug 31 18:07:47 CEST 2021
>
> however, externals are free to *not* use `sys_open` so that could be
> easily circumvented
yes. I was mostly concerned about user written Pd patches that would be
opened by a libpd app, like Pd(Droid)Party, MobMuPlat or so.
If the developer of the app could lock the write permission to a predefined
user directory, it would be safer to try opening patches from other users...
In the worst case you only could lose other patches or related data.
Thinking a bit more: actually most mobile APIs already provide such a
security...
Le mar. 31 août 2021 à 16:51, IOhannes m zmoelnig <zmoelnig at iem.at> a
écrit :
> On 8/31/21 4:37 PM, Antoine Rousseau wrote:
> >>
> >> i wonder whether it would be possible (with Pd>=0.42) to create a patch
> >> that creates a gui-plugin on the fly.
> >> if this is true, then you can already do everything that [file] allows
> you
> >> to do - and much more
> >
> >
> > yes, but [file] will be extremely useful in the "-nogui" and libpd
> contexts.
>
> yes definitely. and much more.
> i didn't write [file] to write exploits but to be useful.
>
> >
> > BTW, and about the "exploits", I'm wondering if this would be feasible to
> > implement a safety lock callable from a libpd based application, that
> would
> > restrict the write permission (of every Pd object) to a given list of
> > directories.
>
> we could probably restrict `sys_open` and friends.
> however, externals are free to *not* use `sys_open` so that could be
> easily circumvented.
>
> mfgasdr
> IOhannes
>
> _______________________________________________
> Pd-dev mailing list
> Pd-dev at lists.iem.at
> https://lists.puredata.info/listinfo/pd-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20210831/698247d2/attachment-0001.htm>
More information about the Pd-dev
mailing list