Re: [dev] [surf] [PATCHES] (1) GConf URL schema handlers (2) delete _SURF_GO xprop (3) close stdout sending XID

From: Adam Strzelecki <ono_AT_java.pl>
Date: Sat, 9 Apr 2011 22:06:26 +0200

>>> _SURF_GO just after it's set?
>>
>> _SURF_GO shouldn't be read, though, it's only used for telling surf
>> to load a new page. Unless I'm misunderstanding your point.
>>
> If it can't be read, then what's the original security breach?

Nick wrote it shouldn't be read, but it can. So right now you can set _SURF_GO and what you set is visible (including any passwords) using "xprop", while _SURF_URI contains same URL but this time password-less.

-- 
Adam Strzelecki
Received on Sat Apr 09 2011 - 22:06:26 CEST

This archive was generated by hypermail 2.2.0 : Sat Apr 09 2011 - 22:12:02 CEST