PDN Question

[Michael S. Sanders]

Looks good Murray. I wish your work continued success. It's a solid program.

[matthewkooshad]

I don't quite understand the security problems or even how they would possibly relate to the programmer. Is not a xml == pdn == txt as far as the type of document? To my understanding all of the three contain ascii text and are not known as executable extensions to the windows os. How can a txt (or pdn) viewer be exploited?

[Michael S. Sanders]

Bingo! You've nailed it spot on Matt.

Speaking only for myself here...

My idea simply allows you open a document, if that document as an association, then windows will open it with the associated executable. For instance:

txt/Notepad
doc/Word
html/browser

Another example:

Visualize a diagram within a window, beside the diagram is a hyperlink that says:

<Author: Matt>

In plain text it looks this:

Code: Select all

[url=http://draughts.info]<Author: Matt>[/url]

(For those lurking, the line above is a real world example and is certainly not dangerous). When assessing the url, you're simply taken to the resource. And that's it, certainly nothing fancy, more practical than much anything else =) This forum, uses ex/internal resources, Windows, uses ex/internal resouces.

There is (as you know), no more danger in this, than another's program doing the same exact same, simply depends on how its construed. Others will have different thinking, while employing the same results oddly enough. All I ask is that we reserve judgment till an example is posted rather than knee jerk reactions. Dunno what to say, shrug :/

[murray]

I don't quite understand the security problems or even how they would possibly relate to the programmer. Is not a xml == pdn == txt as far as the type of document? To my understanding all of the three contain ascii text and are not known as executable extensions to the windows os. How can a txt (or pdn) viewer be exploited?

Well the suggestion is that PDN is extended to include a [Resource] tag, and that the PDN viewer asks the operating system to open the resource. That's fine and dandy if we have something like

Code: Select all

[Black "Some player]
[White "some other player"]
[Result "1/2-1/2"]
[Resource "http://www.nemesis.info/games/myref.txt"]

9-14 22-18 ...

(txt file, safe)

but it's not fine if somebody puts something malicious inside the PDN, like

Code: Select all

[Black "Some player]
[White "some other player"]
[Result "1/2-1/2"]
[Resource "http://somewherenasty.com.ro/reformat_your_hdd.exe"]

9-14 22-18 ...

A ridiculous example but it makes the point.
So you see it doesn't matter that PDN is a text document - What matters is how the PDN viewer handles Resource tags.

[matthewkooshad]

I don't see the point of the resource tag. Why not have the contents of that txt file within the pdn?

txt"] // Just check if the string ends with this? It seems this is a static layout for the pdn you guys are speaking of.

[Michael S. Sanders]

The resource tag as I'm intending to use it (assuming the app has an export feature) allows a pointer to dynamic content to be embedded in a game file. Its not static minded but rather provides a degree extensibility. Its equatable to a hyperlink that would allow more detail to be shown. Who knows, might even cobble together a new format like PCN or some such, this way the existing format of PDN remains unchanged. This would seem to be a good option on my end as it allows my ideas to be served without any fuss.

As for the resource tag I want to stress:

Only items a computer can open by default will run. For instance, browsers will not run an executable remotely on your drive like:

Code: Select all

[Resource "http://propaganda.com/exaggerations.exe"]

Existing apps already use external content.

Those disagreeing with the tag, need not do anything. Just ignore the tag.