0

GoToMeeting's gotomeeting.com/join has an interesting behavior - when you visit a meeting URL directly you're required to download a new exe binary file which, when executed, has the meeting ID already integrated and will auto-launch the program without you needing to input a meeting ID.

My first thought is that this was incorporated into the metadata of the executable, but closer inspection leads me to believe that these exes are compiled with the meeting ID.

So here are a few questions:

  • Are they building/compiling on the fly?
  • If so, isn't there massive overhead to implementing this?
  • This has to be a massive security risk, right?

So assuming I am silly enough to attempt something like this - is there a safe way to be issuing make, etc. from my web-based framework? My gut tells me there isn't.

I've read the following SO questions which tell me that this kind of question is typically met with much ire:

fast on-demand c++ compilation

Silverlight on-demand compilation/Build

Community
  • 1
  • 1
philwinkle
  • 7,036
  • 3
  • 27
  • 46
  • 1
    How did you come to the conclusion that the ID is not just included as metadata but the whole executable is compiled? If you have just looked at the exe resources, that's by far not the only way to include data in an exe file. For example, you can simply append the data and a size value after the file and it will work with ease (that's how many self-extracting archives work). – Tamás Szelei Feb 19 '13 at 19:15
  • 2
    I can't say if they're doing it or not, but how is it "a massive security risk?" It would be if their build machine were compromised, but any machine hosting executables is equally at risk. As for "massive overhead", it depends exactly what they're doing, but no, not necessarily. – Pete Feb 19 '13 at 19:16
  • @fish I don't mind admitting my ignorance to how these things work - I'm asking because I really have no idea. My file metadata examination skills turned up empty - I thought it would be worth sacrificing a few rep points to turn to SO and risk a bunch of downvotes to get someone's actual input to how this would be accomplished. I appreciate the feedback! – philwinkle Feb 19 '13 at 19:27

1 Answers1

2

I don't see why you say that issuing make from within your web-based framework must necessarily be insecure. It may, but it may not. It will almost certainly be slow and will probably result in unacceptable delays.

The more sensible approach, in my opinion, is to have the executable already compiled, with a "blob" of reserved data in the resulting file into which you substitute the actual data you want and then sign the resulting file.

This will likely be significantly faster than compiling and easier to implement to boot!

Nik Bougalis
  • 10,495
  • 1
  • 21
  • 37
  • 1
    Compilation doesn't have to be a big deal. You can precompile the entire app except for perhaps a single file which contains a single string used elsewhere in the app. You could compile that single file very quickly and then do a link of that with the other pre-compiled files. – Pete Feb 19 '13 at 19:36
  • @Pete certainly, you can do that as well. – Nik Bougalis Feb 19 '13 at 19:37
  • 1
    @Pete: While you need not recompile, unless you hack your code base to support efficient linking the cost of linking won't be negligible. A complex application can take minutes to link (you could, on the other hand, hack your code into a single translation unit in which case linking with the added data will be fast). – David Rodríguez - dribeas Feb 19 '13 at 21:59