I would like to develop a really simple addon in Thunderbird (based on Firefox addons) that executes an action when I type some commands. Ideally I'd either type something like:
$ thunderbird -myplugin someArgs
or
$ curl 127.0.0.1:12345/myplugin/someargs
But I don't want to run more complex codes as I want to be sure that the user can check imediately that it does not run any malware (I don't want the plugin to have full control on the OS).
Any idea how I could do that?
Related
I'd like to execute a shell script form my Rails app on the client.
In my case, I want to open a .odt file on the Client PC when he clicks on a link.
As for now, all I can do is run shell script on my server using e.g.
`libreoffice path_to_my_odt_file`.
In this case, I'm opening my file using LivreOffice on the Server.
Is there a way to execute this code on my Client from Rails?
If I try to run my app as it is, when I call the action that calls my script, the file is opened on my Server.
Thank you in advance.
As mentionned in the comments, running arbitrary shell scripts on the client from the http server would be a huge security flaw.
As long as your Rails server provides a download link with send_data (e.g. dynamically_generated_odt_file), the browser will ask if it should download the file or open it. If the user wants to avoid any extra interaction, there's the possibility to tick :
"Do this automatically for files like this from now on"
You might have to specify the MIME type, by adding
Mime::Type.register "application/vnd.oasis.opendocument.text", :odt
to config/initializers/mime_types.rb.
I am trying to get rails to select document attachments, then kick off the email client with the documents attached.
I have it working on my development laptop. If I build a string with the appropriate parameters and pass that to system() then it kicks off the email client with the attachments..
The string looks something like
#email_content = "C:\Program Files (x86)\IBM\Lotus\Notes\notes.exe"
"Mailto:?Attach=C:\Users\cm\RubymineProjects\technical_library\public\images\1\8302_printed.pdf
The first part calls the notes exe and the second part starts and email with the attachments. That worked fine on my laptop.
However, when I moved it to the server, it isn't kicking off the email client. I believe that it is because the shell commands are trying to execute on the server, not on the client.
Is it possible to run a shell command on the client machine? I am trying to get this working with Windows first and then the Mac environmemnt. I tried changing the C:\ to the machine name. i.e. \chrislaptop\Program Files (x86)\IBM\Lotus\Notes\notes.exe. but that didn't work.
No, fortunately that is not possible.
Imagine what happens when a request to some random page on the internet could trigger shell scripts on your local computer...
Arbitrary code execution escaping the browser is too invasive-- your app should not have access to the client's machine.
However, some applications may support URIs that open specific applications outside the browser. You generally see this more on mobile devices, but Spotify for example supports links that look like: spotify:artist:5lsC3H1vh9YSRQckyGv0Up which asks the user whether it is ok to open the Spotify application.
https://news.spotify.com/us/2008/01/14/linking-to-spotify/
I host a server and I was wondering: is there any way to run chat commands through ComputerCraft? I want to be able to run /tps through the ComputerCraft terminal and then have it print out the TPS. Help would be greatly appreciated.
Thanks.
In the new Computercraft 1.7 there is a new type of computer, the Command Computer. It allows the user to run commands the same way as shell.run("mkdir", "foo"). It can only be obtained by ops, and can only directly be controlled (we are talking without using rednet and such) by ops
commands.exec(string command) -- Runs and outputs command output in chat.
commands.execAsync(string command) -- Quietly runs command without output.
Here is the wiki page:
Commands (API)
But if we are talking 1.6.4 (Which almost all modpacks use) there is no "stock" version of doing that.
Hope it helps /Tyrerexus
I believe that you can use this thing called the Chat Box.
http://ftbwiki.org/Chat_Box
It's not part of the default Computercraft, however. It is part of the Misc Peripherals mod I believe.
Im doing a little research into installers, and right now at my company we are having some issues deploying from jenkins using click once. We have a test certificate(these programs are all internal) and for some reason are having some issues with the certifcate being incompatiable with certain msbuilds/.net frameworks. So im looking into alternatives.
But in that i want to keep the same architecture. How it works right now is someone clicks on a button in our task bar, clicks on the application they want, and then click once installs the updates(or installs) without further user input and starts the application. Ive heard a lot of good things about NSIS.
So far ive only seen generic application installers like you expect when you download anything from the internet. Could I do something like i described above using NSIS?
A very basic no interaction installer might look like this:
Name foo
OutFile foo_setup.exe
AutoCloseWindow true
RequestExecutionLevel user
InstallDir "$LocalAppData\Programs\MyApp"
Page InstFiles
Section
SetOutPath "$InstDir"
WriteUninstaller "$InstDir\uninst.exe"
; TODO: Add registry entry for Add/Remove Programs
File "MyApp.exe"
File "Data.xml" ; Support files etc
Exec '"$InstDir\MyApp.exe" -firstrun "c:\some path\file.ext"'
SectionEnd
Section Uninstall
Delete "$InstDir\MyApp.exe"
Delete "$InstDir\Data.xml"
Delete "$InstDir\uninst.exe"
RMDir "$InstDir"
SectionEnd
If you want to install for all users in %ProgramFiles% you can run into issues with Exec because the app can end up running as the wrong user if a non-administrator used some other account in the UAC dialog.
We have an internal and external facing asp.net mvc app running under mono on ubuntu 10.04 LTS. There is also a complicated (native, not mono) command line app that users use on the same server. They log on via ssh to do this. We have the security for the ssh users pretty locked down, so they can't do very much other than run the command line app.
The users of these apps have to:
login via ssh to the server, run the command line app with whatever command line switches are required which then does some long running processing and puts a report in the db of the web app.
Login to the web app, then set some options for publishing a report via the web app.
The users of the apps want to skip step 1 and do it all in the web app. I am thinking of creating a service that regulary polls the db for command line app jobs to run. The jobs would be created by the users as desired in the web app.
The problem is, the users want a box in the web app where they can just fill in any command line options. But I don't want them to do something like this:
-a dothis -b dothis & rm importantfile.txt
...in case the user's credentials to the web app are somehow compromised. I want to make sure that only that command line app can be used and nothing else. I am thinking of preventing the characters ! | < > & / \ $ ( ) from being allowed, which looks like are not required by the command line app.
Is that good enough? Are there any other shell tricks I should know about? Should I take a different approach?
I really don't want to have to write some sort of parser for the arguments that the users supply, because there are a ton of them that the users like to use.
Instead of running the command line as a shell command (launching the shell to launch the program), can you launch the program itself as a new process? I believe that's what the answer here is doing: Execute a command line utility in ASP.NET . If the actual program is launched as a process, rather than a shell, then things like & or rm will just be arguments to the command line utility, which should be fine if the command line utility checks for bad inputs.
If that's not feasible (although it's probably the better option), replacing all single quotes with single quote escape sequences, then placing single quotes around each of the arguments (split the string with a space as the delimeter), could provide a similar effect. Instead of making sure you avoid all possible bad characters (; can be used similarly to & in many shells), you only need to make sure that the provided arguments can't escape out of the single quotes. (You might also want to check for single quote surrounded arguments beforehand, to avoid double quoting them, and don't cound escaped spaces when splitting up arguments, etc., so that the users can provide arguments that need spaces).