Archive for August 4, 2017

Friday, August 4, 2017

Using a Downloaded HTML File to Steal Files From a Mac

Anton Lopanitsyn (via Felix Schwarz):

Interestingly, . DS_Store can easily be parsed to get the names of all the files on in the catalog. […] And this means that, with this information, we can now recursively call .DS_Store to get the complete hierarchy of files on my computer — all without authorized access to any of the directories.


We know that in the Chrome browser, reading local files is not that straightforward. The only way to do that is to launch Chrome with a special argument ( — disable-web-security).

Safari also warns that it can’t work with the local files: such as file://

HOWEVER, if the file has originally been downloaded from the internet, Safari is a lot more permissive towards this kind of requests. Thus one can send XHR request to a local file and get back its content […] …if a file is local — you get access!

Knowing this Safari idiosyncrasy, with a full path name we can load the complete file content and upload it to an external server.

It seems like Safari’s Local File Restrictions should cover XMLHttpRequest in addition to file: URLs.

Using Static Frameworks to Speed Up Launching

Eric Horacek (via Ljuba Miljkovic):

This slowdown happens because every dynamic framework adds overhead for dyld to do before an app’s main() function is called (known as “loading, rebasing, and binding”). In this WWDC 2016 talk, Apple suggests replacing dynamic frameworks with static archives to mitigate this. To take this approach, we rebuilt as many of our dynamic frameworks as possible statically and then merged them into a single monolithic dynamic framework named AutomaticCore.


Apple wasn’t exaggerating when they said too many dynamic frameworks could slow down your app’s launch time. However, merging our dynamic frameworks wasn’t trivial: we had to rework our development workflow to build our app this way from now on.


It was not trivial to add support to Carthage for building static archives (.a files). However, with some minimal changes, we were able to update Carthage to support building static frameworks (.framework files). Static frameworks are just like static archives, but packaged differently. They have a similar structure to dynamic frameworks, but with a static Mach-O file in place of a dynamic one.


However, unlike dynamic frameworks, static frameworks are not embedded—meaning we needed to do some extra legwork to make their resources available.

See also: App Startup Time: Past, Present, and Future.

How Rust Is Tested

Brian Anderson (via Hacker News):

Rust has a strict continuous integration system that runs a great number of tests on every pull request, basically guaranteeing that the Rust master branch always works; which is crucial because Rust releases nightly builds every night, and stable builds every six weeks. And Rust further tests every release against its entire open source library ecosystem.

I’ve always admired well-tested software projects, like SQLite, and aim to place Rust among the pantheon of the best. This document then, is a catalog of all the ways we test Rust. I hope it provides insight into what it takes to deliver a production-quality programming language, a hint at the wide variety of techniques employed in software validation, and that it reinforces your confidence in Rust’s reliability.