The macosxhints Forums

The macosxhints Forums (http://hintsforums.macworld.com/index.php)
-   OS X Developer (http://hintsforums.macworld.com/forumdisplay.php?f=27)
-   -   how to launch an AppleScript from a link in a web page? (http://hintsforums.macworld.com/showthread.php?t=72240)

xspoon 05-12-2007 12:35 PM

how to launch an AppleScript from a link in a web page?
 
We have a Intranet and have an apple script. We are trying to figure out the proper commend set within HTML to launch a local Apple script once a button is pressed within a local webpage..:confused:

Any Help???

tw 05-12-2007 01:14 PM

the specific thing your asking can't be done. HTML has no capacity to launch a script, Javascript can't do it either (at least not as far as I know, which is pretty far...).

you realize, of course, that the reason you can't launch a script from a webpage is the same reason you can't launch an application - it's a horrible security hole. an applescript that would delete your home directory is 4 lines long; deleting it irretrievably might take 10 lines. you want that popping up over the web?

maybe if you explain more clearly what you're trying to do, we can suggest alternate approaches.

xspoon 05-12-2007 01:32 PM

I would like to thank everyone for their help.. We were able to pull this off by using MissingLink.

thanks again.. you all saved us...

mark hunte 05-12-2007 02:18 PM

I suspect you are talking about missinglink from scriptbuilders.net
To save others googling to find out what the OP is talking about,

Quote:

Missing Link is a simple utility that allows you to open, run or launch almost anything on your Mac from a link or a bookmark in a browser... or from links in Cocoa applications that support HTM

tw 05-12-2007 03:31 PM

Quote:

Originally Posted by mark hunte (Post 378652)
I suspect you are talking about missinglink from scriptbuilders.net

yah, thanks. too bad they saved that as run-only; now I'll have to figure out the script on my own. :(

bunnz 05-13-2007 09:19 AM

If I _hadn't_ made Missing Link run-only, I would consider it a security hole too...

Peter B.

-----

hayne 05-13-2007 10:54 AM

Quote:

Originally Posted by bunnz (Post 378773)
If I _hadn't_ made Missing Link run-only, I would consider it a security hole too...

Please explain why you think it is more secure to have this as run-only.
You seem to be saying that if you released the source code for "Missing Link", that would somehow make it less secure - I don't see how that could be the case.

tw 05-13-2007 12:49 PM

Quote:

Originally Posted by bunnz (Post 378773)
If I _hadn't_ made Missing Link run-only, I would consider it a security hole too...

the security problem would only exist if you could run an applescript from a remote site (e.g., I go to some web page somewhere out on the internet, and the webpage triggers an applescript on my machine). I only commented on that because I misunderstood what the original poster was after. what you've provided is something that is installed on (and controlled by) the client, which is much less of a risk, assuming you're an honest guy... :) I have to say I'm a little concerned even by the possibility that someone can trigger an applescript from a webpage, though, given the capabilities of AS. (example: someone manages to get the script installed on your machine, goes home to his machine and browses your personal website, triggering the script on your machine to load and run a script from his machine, which gives him access to unix, et voila - all your bases are belonged to us). I'd feel more comfortable if I could see the code so I knew its limitations, but I respect your right to make a little pocket cash. maybe you should send the code to Apple as a potential security gambit, and let them evaluate it.

bunnz 05-13-2007 12:53 PM

hayne:

Though Missing Link now runs to several hundred lines of vanilla AppleScript code, the basic functionality is available in maybe ten or twenty... I haven't counted recently. It requires additional preparation to work properly, but if I published a 'recipe' in open source, I would consider that an invitation to malicious abuse.

The extra code helps lock it down to local use... by a single local user. It isn't bulletproof yet, but I continue work on it, and the next version will be still more secure.

It will have to be... the version in preparation will now run compiled scripts (not merely applications) from links.

ML definitely has local utility... and is intended only for local use.

Peter B.

-----

bunnz 05-13-2007 01:12 PM

tw:

By all rights, Apple should be aware of Missing Link's capability - both from the utility and security standpoints. I've been quietly (and not so quietly) 'pushing' it (or something very similar) for years now.

I retired it for a few years while I was still languishing in OS 9... and have only recently reintroduced it. There was one previous OS X capable version, and its mention provoked a huge firestorm of response on another discussion forum at the time.

I'm not really interested in defending my motivations for it again...

I understand what run-only means and why folks may be leery of any offering they can't read before use. But I can't read much more than AppleScript and HTML (both in simplest forms), so I wouldn't likely use _any_ third party apps if I took the same approach.

Anyways...

Peter B.

-----

tw 05-13-2007 01:46 PM

Quote:

Originally Posted by bunnz (Post 378805)
By all rights, Apple should be aware of Missing Link's capability - both from the utility and security standpoints. I've been quietly (and not so quietly) 'pushing' it (or something very similar) for years now.

well, should be aware and is aware are different things, and Apple has a looong track record of being a bit naive when it comes to practical matters. the moral action would be to code up a proof of concept, email it to Apple, and then burn it off your machine and forget about it. if they want to ignore it, that's their business.

on examination, I think I understand the basic mechanism you use, and I think I see how to duplicate it if I wanted. if I'm right, it's no more virulent than any other app, if people use common sense and standard precautions (though I suggest you take the security section of your read me and paste it at the top of the document rather than burying it at the bottom). but still...

bunnz 05-13-2007 03:04 PM

tw wrote:

>>on examination, I think I understand the basic mechanism you use, and I think I see how to duplicate it if I wanted. if I'm right, it's no more virulent than any other app

--

In basis... AppleScript... Standard Additions... since OS 7.6... 8.1?

Though it may not have sounded like it, I appreciate the input from this thread. ML is still 'a work in progress' and I have never known whether to bury it deep or hawk it freely ('unimpaired') as shareware. Most folks are so busy running away from anything like ML that they won't even comment. I'm used to it... or should be by now.

I remain undecided about ML's eventual fate, but I've been at something similar since '98. No reason to get in a hurry now.

That's all (for today) folks.

It's Mother's Day, and I've got phone calls to make.

Peter B.

-----

hayne 05-13-2007 04:05 PM

Quote:

Originally Posted by bunnz (Post 378802)
if I published a 'recipe' in open source, I would consider that an invitation to malicious abuse

You seem to be concerned that someone else could take your recipe and create an applet that could then be used for malicious purposes.
As others have said, if you think that Missing Link is taking advantage of a security hole in OS X, you have a duty to inform Apple.
However, I think it is likely that things are working as designed - that there is no security hole.
If a malicious person can get someone to install arbitrary software, then it's already game over. So no need to worry about what holes might be opened up by your software - instead just warn the users in clear language about the risks.
And making your software open source is a good way to make sure that there aren't security holes in it due to something you've overlooked.

bunnz 05-15-2007 04:36 PM

hayne:

Thanks for your thoughts...

Again, ML is still on the drawing board, and I make no representation that it is 'finished'. If I get to that point, I might very well like review and evaluation by a 'trusted person or persons'.

But - lord knows - they're hard to find these days.

--

BTW, is it my lousy dialup connection, Safari, or this implementation of PHP that frequently cuts threads short? It happens a lot here at OS X Hints.

PB

-----

bunnz 05-23-2007 09:19 AM

Just to beat up this thread a little more...

The updated version of Missing Link 'promised' above is now available at:

http://www.mhtc.net/~bunnz/scriptlink.html

and...

http://scriptbuilders.net/files/missinglink2.3b2.html

--

I would welcome feedback from folks who can make it break... or breach the basic security safeguards it now offers.

I doubt it's yet bulletproof, but it's coming along...

Thanks.

Peter B.

-----

t-k 06-07-2007 06:51 AM

You could always make a php exec to call the applescript via osascript this works but please note this is a huge security issue
You have to save the script so it is run only

<?php
shell_exec("osascript -l open /Library/Webserver/Documents/yourapplescript.scpt'");
?>

but this should only be used if the server it is running on is not connected to the world only local secure intranet, if you really have to do it.

faezbhanji 06-10-2007 07:55 AM

t-k, how would you use the php call from a button

hayne 06-10-2007 09:43 AM

Quote:

Originally Posted by t-k (Post 384108)
You could always make a php exec to call the applescript via osascript this works but please note this is a huge security issue
You have to save the script so it is run only

<?php
shell_exec("osascript -l open /Library/Webserver/Documents/yourapplescript.scpt'");
?>

but this should only be used if the server it is running on is not connected to the world only local secure intranet, if you really have to do it.

But that would run the AppleScript on the web server. I.e. would only work to do what the original poster asked if the web page was being served by a web server on the local machine.

t-k 06-10-2007 03:05 PM

I thought that what was required, to run a script on local machine

hayne 06-10-2007 05:04 PM

Quote:

Originally Posted by t-k (Post 384920)
I thought that what was required, to run a script on local machine

Yes - but I believe the original poster wanted to serve the web pages from some other machine.
I.e. it is like Google supplying a web page that has a link on it that runs a script on your local machine.


All times are GMT -5. The time now is 05:50 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.