[Adium-devl] Exposed preferences via AppleScript

[Colin Barrett]

Coming at this from a "security" aspect, since this is the first time  
we've really got a non-trivial path into the  application, and people  
might try to write malicious applescripts or something. Only, unlike  
with a malicious plugin where we're basically just fucked, we can  
actually do something about security in AS.

Note: I'm not thinking much, if at all, about usability or how nice it  
would be to have these prefs. Purely trying to think of the security  
risk. Feel free to start a discussion about why these would be cool to  
have :)

Anyway, here are my thoughts:

Definitely don't think we should allow account creation and deletion  
via AppleScript. That seems a bit dangerous.

Allowing a script to pull your password out to plaintext also seems  
dangerous as well.

I can't think of anything else. Contact list prefs, Message view  
stuff, sounds all good. Might want to be careful with the Events code,  
but I think that should be alright.

OTR scripting should also be pretty limited -- definitely should not  
allow you to do something like verify keys via AS, I'd say.

-Colin

On Aug 15, 2007, at 6:40 PM, Matt Handley wrote:

> Hi.
>
> I'm wrapping up my AppleScript support, and I've come to a point where
> I'm trying to decide which application preferences I should expose to
> the scripters. Does anyone have any suggestions as to which
> preferences definitely should or shouldn't be available to scripters?
>
> Matt
>
> _______________________________________________
> Adium-devl mailing list
> Adium-devl at adiumx.com
> http://adiumx.com/mailman/listinfo/adium-devl_adiumx.com