Go Back   The macosxhints Forums > Working with OS X > OS X Developer



Reply
 
Thread Tools Rate Thread Display Modes
Old 05-12-2007, 11:35 AM   #1
xspoon
Prospect
 
Join Date: May 2007
Posts: 2
Post how to launch an AppleScript from a link in a web page?

We have a Intranet and have an apple script. We are trying to figure out the proper commend set within HTML to launch a local Apple script once a button is pressed within a local webpage..

Any Help???
xspoon is offline   Reply With Quote
Old 05-12-2007, 12:14 PM   #2
tw
Hall of Famer
 
Join Date: Apr 2007
Posts: 4,262
the specific thing your asking can't be done. HTML has no capacity to launch a script, Javascript can't do it either (at least not as far as I know, which is pretty far...).

you realize, of course, that the reason you can't launch a script from a webpage is the same reason you can't launch an application - it's a horrible security hole. an applescript that would delete your home directory is 4 lines long; deleting it irretrievably might take 10 lines. you want that popping up over the web?

maybe if you explain more clearly what you're trying to do, we can suggest alternate approaches.
tw is offline   Reply With Quote
Old 05-12-2007, 12:32 PM   #3
xspoon
Prospect
 
Join Date: May 2007
Posts: 2
I would like to thank everyone for their help.. We were able to pull this off by using MissingLink.

thanks again.. you all saved us...
xspoon is offline   Reply With Quote
Old 05-12-2007, 01:18 PM   #4
mark hunte
MVP
 
Join Date: Apr 2004
Location: Hello London Calling
Posts: 1,787
I suspect you are talking about missinglink from scriptbuilders.net
To save others googling to find out what the OP is talking about,

Quote:
Missing Link is a simple utility that allows you to open, run or launch almost anything on your Mac from a link or a bookmark in a browser... or from links in Cocoa applications that support HTM

mark hunte is offline   Reply With Quote
Old 05-12-2007, 02:31 PM   #5
tw
Hall of Famer
 
Join Date: Apr 2007
Posts: 4,262
Quote:
Originally Posted by mark hunte
I suspect you are talking about missinglink from scriptbuilders.net

yah, thanks. too bad they saved that as run-only; now I'll have to figure out the script on my own.
tw is offline   Reply With Quote
Old 05-13-2007, 08:19 AM   #6
bunnz
Triple-A Player
 
Join Date: Aug 2003
Posts: 62
If I _hadn't_ made Missing Link run-only, I would consider it a security hole too...

Peter B.

-----
bunnz is offline   Reply With Quote
Old 05-13-2007, 09:54 AM   #7
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,462
Quote:
Originally Posted by bunnz
If I _hadn't_ made Missing Link run-only, I would consider it a security hole too...

Please explain why you think it is more secure to have this as run-only.
You seem to be saying that if you released the source code for "Missing Link", that would somehow make it less secure - I don't see how that could be the case.
__________________
hayne.net/macosx.html
hayne is offline   Reply With Quote
Old 05-13-2007, 11:49 AM   #8
tw
Hall of Famer
 
Join Date: Apr 2007
Posts: 4,262
Quote:
Originally Posted by bunnz
If I _hadn't_ made Missing Link run-only, I would consider it a security hole too...

the security problem would only exist if you could run an applescript from a remote site (e.g., I go to some web page somewhere out on the internet, and the webpage triggers an applescript on my machine). I only commented on that because I misunderstood what the original poster was after. what you've provided is something that is installed on (and controlled by) the client, which is much less of a risk, assuming you're an honest guy... I have to say I'm a little concerned even by the possibility that someone can trigger an applescript from a webpage, though, given the capabilities of AS. (example: someone manages to get the script installed on your machine, goes home to his machine and browses your personal website, triggering the script on your machine to load and run a script from his machine, which gives him access to unix, et voila - all your bases are belonged to us). I'd feel more comfortable if I could see the code so I knew its limitations, but I respect your right to make a little pocket cash. maybe you should send the code to Apple as a potential security gambit, and let them evaluate it.
tw is offline   Reply With Quote
Old 05-13-2007, 11:53 AM   #9
bunnz
Triple-A Player
 
Join Date: Aug 2003
Posts: 62
hayne:

Though Missing Link now runs to several hundred lines of vanilla AppleScript code, the basic functionality is available in maybe ten or twenty... I haven't counted recently. It requires additional preparation to work properly, but if I published a 'recipe' in open source, I would consider that an invitation to malicious abuse.

The extra code helps lock it down to local use... by a single local user. It isn't bulletproof yet, but I continue work on it, and the next version will be still more secure.

It will have to be... the version in preparation will now run compiled scripts (not merely applications) from links.

ML definitely has local utility... and is intended only for local use.

Peter B.

-----
bunnz is offline   Reply With Quote
Old 05-13-2007, 12:12 PM   #10
bunnz
Triple-A Player
 
Join Date: Aug 2003
Posts: 62
tw:

By all rights, Apple should be aware of Missing Link's capability - both from the utility and security standpoints. I've been quietly (and not so quietly) 'pushing' it (or something very similar) for years now.

I retired it for a few years while I was still languishing in OS 9... and have only recently reintroduced it. There was one previous OS X capable version, and its mention provoked a huge firestorm of response on another discussion forum at the time.

I'm not really interested in defending my motivations for it again...

I understand what run-only means and why folks may be leery of any offering they can't read before use. But I can't read much more than AppleScript and HTML (both in simplest forms), so I wouldn't likely use _any_ third party apps if I took the same approach.

Anyways...

Peter B.

-----
bunnz is offline   Reply With Quote
Old 05-13-2007, 12:46 PM   #11
tw
Hall of Famer
 
Join Date: Apr 2007
Posts: 4,262
Quote:
Originally Posted by bunnz
By all rights, Apple should be aware of Missing Link's capability - both from the utility and security standpoints. I've been quietly (and not so quietly) 'pushing' it (or something very similar) for years now.

well, should be aware and is aware are different things, and Apple has a looong track record of being a bit naive when it comes to practical matters. the moral action would be to code up a proof of concept, email it to Apple, and then burn it off your machine and forget about it. if they want to ignore it, that's their business.

on examination, I think I understand the basic mechanism you use, and I think I see how to duplicate it if I wanted. if I'm right, it's no more virulent than any other app, if people use common sense and standard precautions (though I suggest you take the security section of your read me and paste it at the top of the document rather than burying it at the bottom). but still...
tw is offline   Reply With Quote
Old 05-13-2007, 02:04 PM   #12
bunnz
Triple-A Player
 
Join Date: Aug 2003
Posts: 62
tw wrote:

>>on examination, I think I understand the basic mechanism you use, and I think I see how to duplicate it if I wanted. if I'm right, it's no more virulent than any other app

--

In basis... AppleScript... Standard Additions... since OS 7.6... 8.1?

Though it may not have sounded like it, I appreciate the input from this thread. ML is still 'a work in progress' and I have never known whether to bury it deep or hawk it freely ('unimpaired') as shareware. Most folks are so busy running away from anything like ML that they won't even comment. I'm used to it... or should be by now.

I remain undecided about ML's eventual fate, but I've been at something similar since '98. No reason to get in a hurry now.

That's all (for today) folks.

It's Mother's Day, and I've got phone calls to make.

Peter B.

-----
bunnz is offline   Reply With Quote
Old 05-13-2007, 03:05 PM   #13
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,462
Quote:
Originally Posted by bunnz
if I published a 'recipe' in open source, I would consider that an invitation to malicious abuse

You seem to be concerned that someone else could take your recipe and create an applet that could then be used for malicious purposes.
As others have said, if you think that Missing Link is taking advantage of a security hole in OS X, you have a duty to inform Apple.
However, I think it is likely that things are working as designed - that there is no security hole.
If a malicious person can get someone to install arbitrary software, then it's already game over. So no need to worry about what holes might be opened up by your software - instead just warn the users in clear language about the risks.
And making your software open source is a good way to make sure that there aren't security holes in it due to something you've overlooked.
__________________
hayne.net/macosx.html
hayne is offline   Reply With Quote
Old 05-15-2007, 03:36 PM   #14
bunnz
Triple-A Player
 
Join Date: Aug 2003
Posts: 62
hayne:

Thanks for your thoughts...

Again, ML is still on the drawing board, and I make no representation that it is 'finished'. If I get to that point, I might very well like review and evaluation by a 'trusted person or persons'.

But - lord knows - they're hard to find these days.

--

BTW, is it my lousy dialup connection, Safari, or this implementation of PHP that frequently cuts threads short? It happens a lot here at OS X Hints.

PB

-----
bunnz is offline   Reply With Quote
Old 05-23-2007, 08:19 AM   #15
bunnz
Triple-A Player
 
Join Date: Aug 2003
Posts: 62
Just to beat up this thread a little more...

The updated version of Missing Link 'promised' above is now available at:

http://www.mhtc.net/~bunnz/scriptlink.html

and...

http://scriptbuilders.net/files/missinglink2.3b2.html

--

I would welcome feedback from folks who can make it break... or breach the basic security safeguards it now offers.

I doubt it's yet bulletproof, but it's coming along...

Thanks.

Peter B.

-----
bunnz is offline   Reply With Quote
Old 06-07-2007, 05:51 AM   #16
t-k
Prospect
 
Join Date: May 2007
Posts: 3
You could always make a php exec to call the applescript via osascript this works but please note this is a huge security issue
You have to save the script so it is run only

<?php
shell_exec("osascript -l open /Library/Webserver/Documents/yourapplescript.scpt'");
?>

but this should only be used if the server it is running on is not connected to the world only local secure intranet, if you really have to do it.
t-k is offline   Reply With Quote
Old 06-10-2007, 06:55 AM   #17
faezbhanji
Prospect
 
Join Date: Feb 2007
Posts: 27
t-k, how would you use the php call from a button
faezbhanji is offline   Reply With Quote
Old 06-10-2007, 08:43 AM   #18
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,462
Quote:
Originally Posted by t-k
You could always make a php exec to call the applescript via osascript this works but please note this is a huge security issue
You have to save the script so it is run only

<?php
shell_exec("osascript -l open /Library/Webserver/Documents/yourapplescript.scpt'");
?>

but this should only be used if the server it is running on is not connected to the world only local secure intranet, if you really have to do it.

But that would run the AppleScript on the web server. I.e. would only work to do what the original poster asked if the web page was being served by a web server on the local machine.
__________________
hayne.net/macosx.html
hayne is offline   Reply With Quote
Old 06-10-2007, 02:05 PM   #19
t-k
Prospect
 
Join Date: May 2007
Posts: 3
I thought that what was required, to run a script on local machine
t-k is offline   Reply With Quote
Old 06-10-2007, 04:04 PM   #20
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,462
Quote:
Originally Posted by t-k
I thought that what was required, to run a script on local machine

Yes - but I believe the original poster wanted to serve the web pages from some other machine.
I.e. it is like Google supplying a web page that has a link on it that runs a script on your local machine.
__________________
hayne.net/macosx.html
hayne is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 07:13 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.