Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

tinman (2063)

tinman
  (email not shown publicly)

tinman spent a few years mucking around industry before going back to school for a Masters. Currently not enjoying the weather in North England..

He wrote Perl that looked suspiciously like C code in 1998, while working as an intern, and has been trying to cure that bad habit ever since.

Journal of tinman (2063)

Wednesday July 20, 2005
05:42 AM

greasemonkey has flaws

[ #25804 ]

It's probably old news by now.. but Greasemonkey has serious, potentially fatal security flaws. The dev blog entry is here.

Having said that though, it's still possible (although not recommended, certainly) to use the old Greasemonkey safely. If a script isn't injected into a page, it can't be exploited. So, making sure scripts only execute on explicitly added pages (instead of using wildcarded includes) is one option.

Another, more obvious option is to install the update. And live without the fancy gm_ namespaced functions for a while.

Unless the specific sites that I use Greasemonkey for are compromised, I think I'm fairly safe. Famous last words? Maybe

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • The NoScript [mozilla.org] extension disables Javascript, unless you specifically allow it, per domain. That does include Greasemonkey scripts.

    I'm not entirely sure whether that's a good or a bad thing, though.
    • I use it, and it's a good thing, except for the infrequent times when NoScript crashes Firefox. I hope those will go away in a future update.

      --
      J. David works really hard, has a passion for writing good software, and knows many of the world's best Perl programmers
    • NoScript is actually pretty nifty :) I installed it once the fuss about GM security broke. The whitelisting was a bit tedious, but it seems to work.

      I think the problem that was raised on the GM list was that it just allows (or disallows) Javascript. Malicious Javascript could be inserted into a page via some hackery and it would be allowed. This, at least, was the theory and so people were recommended not to use Noscript to cover up GM security flaws :)