Open redhat-raptor opened 4 years ago
Hello @redhat-raptor this was added so that you could use icons with a http link (cf. https://github.com/julienXX/terminal-notifier/blame/3ba9ce569e234062d09c8fd01c4be11e56a9fd1b/Terminal%20Notifier/Terminal%20Notifier-Info.plist#L37) I think this could be disabled, using simple http is really not a good practice nowadays.
I heard from a guy who told me that terminal-notifier was flagged as "Trojan / AdLoad" by BitDefender. Maybe that's related?
@julienXX how would we change that flag to false? The one in info.plist. I imagine we can fork it. Is this the only option?
@julienXX Is there any change planned to disable this? A code scanning tool is referring to it as a critical security issue.
@Yusuf023 sure, do you want to make a pull-request for this change?
Hi! I have created a new pull-request for resolving this issue. https://github.com/julienXX/terminal-notifier/pull/285#issue-563534367
Hello,
In file: https://github.com/julienXX/terminal-notifier/blob/master/Terminal%20Notifier/Terminal%20Notifier-Info.plist the value of
NSAllowsArbitraryLoads
has been set totrue
. A code scanning tool is labelling this as a security breach. May I know what this property is used for, please!?I did a quick grep for
NSAllowsArbitraryLoads
in the source code, however, looks like no code is directly referencing the item. Could anyone clarify what this piece of config is really doing?Apple also identifies this as a security issue here: https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity/nsallowsarbitraryloads
Help is appreciated!