Re: Any thoughts on exec: URL?

Rik Harris <>
Message-id: <>
Subject: Re: Any thoughts on exec: URL? 
In-reply-to: Your message of "08 Mar 93 09:37:59 EST."
Date: Tue, 09 Mar 93 09:48:59 +1100
From: Rik Harris <>
X-Mts: smtp
> In the next version of tkWWW, I'm planning to include an "exec:" URL
> header.  If you select a tag with this header it will display the text
> at the end of the address and ask the user if it wants to execute it
> as a system call.
> Any thoughts?  In particular, are there any security problems won't be
> fixed by asking the user whether or not to execute the command before
> doing so?

This is bringing the security problem down on the knowledge of the
user, which has never been a good idea (otherwise, password systems
would _work_).  If the users don't understand what a command does, some
will never execute them (which is admittedly no worse than the current
situation), and some will always execute them, which doesn't provide
any security.  I can see the neophytes looking at the box that popped
up with some gibberish, and saying that the Web is too complicated,
and then going back to gopher ;-)

Also, this will be extremely client specific.  There's no advantage in
including the same extension in non-unix clients, as the exec will not
work in (say) VMS or MS-DOG.  I'd like to see clients converge
towards a standard (or at least, have a standard converge towards
the clients), but this is not possible if URL's will only be useful
for one OS.  It would also be annoying to maintain a different Web for
different clients.

You could probably make it work by designing a meta-language, that
could be implemented by each client.  This way, you can build the
security in from the start, and not worry about unknowledgeable

Rik Harris -              || Systems Programmer
+61 3 560-3265 (AH) +61 3 565-3227 (BH)                 || and Administrator
Faculty of Computing and Information Technology,        || Vic. Institute of
Clayton Campus, Monash University                       || Forensic Pathology