On the website https://madsenworld.dk/index-uk.htm?wincmd/index-uk.htm, I downloaded the ZIP file https://madsenworld.dk/tc-menus/tc1052_win10x86_amd64_eng.zip.
When I wanted to see this file's contents, it asks (or TC asks) me whether I want to install (or integrate) it, already defaulting to the 'Yes' button.
This message gets triggered with a double click and with Return/Enter, but not with Ctrl+PgDn.
While I truly agree that this functionality is great, I also have my concerns from the perspective of security.
A maliciously crafted archive file can pose a security threat to novice users, accidently pressing Return/Enter more than once, like to open and close the archive file - very quickly...
That way, I would argue that just opening an archive, or reading its contents, should never throw a pop-up message to the user, apart from a damaged or corrupt archive.
(Even renaming the extension to, for instance, 'zi_', also triggers the pop-up for installation. After choosing 'Yes', it might ask for admin privileges, but this depends on your own configuration...)
Perhaps, it should be better to simply put this functionality into a dedicated section (or place) under for example 'Options -> Configuration' and allowing the user to integrate it via that specific place in the 'Configuration'.
That way, Total Commander should also be more robust in today's security landscape.
Subject adjusted by moderator to reflect the content.
[TC 11.00rc1, TC 10.52] 'Special' ZIP file asks to get itself installed (or integrated)
I see a security issue with the "Plugin-Installer" and the pop-up message to install it
Moderators: Hacker, petermad, Stefan2, white
-
pi.degroote
- Junior Member
- Posts: 8
- Joined: 2018-08-12, 14:47 UTC
- Location: Ghent, Belgium
- Contact:
I see a security issue with the "Plugin-Installer" and the pop-up message to install it
Last edited by pi.degroote on 2023-07-17, 10:43 UTC, edited 1 time in total.
-
ghisler(Author)
- Site Admin
- Posts: 50532
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: [TC 11.00rc1, TC 10.52] 'Special' ZIP file asks to get itself installed (or integrated)
This is not a bug and will not be changed. It is the main mechanism to install plugins and addons in Total Commander, and you will always be asked for confirmation. Double clicking an executable or associated file is much more dangerous because it opens them without any confirmation.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
-
pi.degroote
- Junior Member
- Posts: 8
- Joined: 2018-08-12, 14:47 UTC
- Location: Ghent, Belgium
- Contact:
Re: I see a security issue with the "Plugin-Installer" and the pop-up message to install it
Well, for me, I can understand it from your viewpoint. Though, I always consider a .ZIP file 'safe to open it', just like I would do with i.e. .TXT, .JPG, .PNG, .WEBP, etc. (as long as those image/video viewers have no exploited security vulnerabilities...)
As I know, an archive file would then only be safe for its 1st grade: opening the archive itself, any file inside (like .EXE, etc.) may cause harm to the system. As for now, it is also 'safe', as long as you don't press 2 times the Return/Enter button, for instance, to view its contents and then leave it immediately...
(Maybe putting an optional setting in place to, for instance, enable/disable the function...)
As I know, an archive file would then only be safe for its 1st grade: opening the archive itself, any file inside (like .EXE, etc.) may cause harm to the system. As for now, it is also 'safe', as long as you don't press 2 times the Return/Enter button, for instance, to view its contents and then leave it immediately...
(Maybe putting an optional setting in place to, for instance, enable/disable the function...)