[PD] [file]
Christof Ressi
info at christofressi.com
Tue Aug 31 15:50:02 CEST 2021
> Has this any security implications?
It's certainly not worse than [pdcontrol] whose "browse" method
basically allows to run arbitrary executables. A Pd project could
contain a malicious binary (disguised as a WAV file) which is
automatically run when you open the main patch - without you ever noticing.
Generally, every single external is a potential security risk since it
contains arbitrary code. Maybe [zexy] contains a backdoor for the NSA,
who knows?
Christof
On 31.08.2021 13:05, IOhannes m zmoelnig wrote:
> On 8/31/21 12:38 PM, Ingo Stock wrote:
>> Looks great!
>>
>> Has this any security implications?
>
> sure.
> if the user is allowed to overwrite "C:\Windows\system32\rundll32.exe"
> they could inject malicious code.
> or delete that file.
>
> however, if they are allowed to overwrite that file, they can already
> replace it with the contents of a WAV-file to bork the system.
>
> so I don't think there are additional security implications¹.
>
>> Could this be used to attack other
>> computers?
>
> *other* computers?
> no, not really.
> it provides an interface to your filesystem.
> unless your filesystem lives on other computers, i don't see how you
> could impact them.
>
> gfmasdr
> IOhannes
>
> ¹ i wonder whether it would be possible (with Pd>=0.42) to create a
> patch that creates a gui-plugin on the fly.
> if this is true, then you can already do everything that [file] allows
> you to do - and much more.
>
> gfmadsr
> IOhannes
>
>
> _______________________________________________
> Pd-list at lists.iem.at mailing list
> UNSUBSCRIBE and account-management -> https://lists.puredata.info/listinfo/pd-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-list/attachments/20210831/41a99ff8/attachment.htm>
More information about the Pd-list
mailing list