Full Disclosure: Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

[Thierry Zoller <Thierry () Zoller lu>]

Dear KJK,

KH> I repeat. Nowhere is said that ShellExecute (the default "run stuff"
KH> function) takes URLs.
Nowehere is determined that it does NOT take URLS.

You forget a consideration, an Important one in my opinion.
This is not straight forward ShellExecute(), it's a
shellexecute call to a Handler. This makes a world of difference
because you cannot tell what the handler does (at least you are not
supposed to).
I mean for example this one, the mailto: handler is defined
on my box I am writing from as :
[HKEY_CLASSES_ROOT\mailto\shell\open\command]
@="C:\\Programme\\The Bat!\\thebat.exe\" %1

As a thid party developer I am not supposed to know what that
application does as a third party developer I am not supposed to
collect every possible application on earth and test what stuff
I have to filter out to protect THAT application. Still with me ?

*I* think, normalistaion _in this particular case_ has to be done
by the function. Sorry my opinion.

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/