Filed under: Analysis / Opinion, OS, Rumors
Leopard Axing Input Managers?
There's a disturbing rumor floating around the Mac web today. According to this article at Infinite Loop, Leopard will no longer support Input Manager hacks. Input Managers allow programmers to insert code into cocoa applications, thus allowing the addition of new functionality. etc. These are somewhat controversial as some claim this is a potential security hole. Nonetheless, Jon Hicks brings this up in connection to my absolute favorite input manager plugin, Saft for Safari, which will presumably be rendered non-functional in Leopard. As Hicks notes, its not clear yet whether this also affect the widely used SIMBL plugin architecture (whose author, Pith Helmet developer Mike Solomon, says he won't be sure until he can play with Leopard). If, like me, you're a big fan of Saft and SafariStand and Chax, etc. this is cause for concern.It is to be hoped, of course, that the authors of the various plugins will find some other way of implementing their feature enhancements, even if Apple does close the Input Manager route. The best thing would be for Apple to implement an open plugin architecture for doing this sort of enhancement, but I won't be holding my breath on that one. In any case, this is a potential concern for those of us sure to upgrade to Leopard right after it launches.

![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)


Reader Comments (Page 1 of 2)
mayo said 6:31PM on 3-24-2007
Uhm, there is a open plugin way ... Safari supports the old netscape plugin api afaik, but it's painful to work with and not very well documented. I stumbled on some of the docs and I think one example on the developer.apple.com pages somewhere.
Reply
Bill said 6:42PM on 3-24-2007
If I lose the use of Inquisitor, I might riot.
Reply
Macskeeball said 6:47PM on 3-24-2007
Mayo, he's not talking about browser plugins as in media plugins like QuickTime, etc. What's being talked about are browser add-ons that are more like Firefox extensions: third party software that adds new features. I use a number of add-ons with Camino.
Reply
guilt+1 said 7:21PM on 3-24-2007
The only reason I use safari is because I have, Saft, Pithhelmet, SafariStand, Safariplus
All these things combine to make Safari awesome for me.
Reply
G said 7:30PM on 3-24-2007
I've gone back to Firefox for compatibility with sites like Blogger, extra features in Gmail, etc. (two minor examples). However, if I can't use Saft in Safari, and Apple doesn't build in basic ad-blocking at the very least, then I'll probably be using Firefox for a good while longer. This isn't MyFirstComputer. Apple wants a clean and safe environment. Fine. But completely preventing third party participation is plain arrogant. Safari isn't finished yet (or is it?). I guess we'll see.
Reply
Alexmak said 7:52PM on 3-24-2007
oh come on. have any one of you actually ever seen how it's made now with input managers in Leopard?
Reply
Alexmak said 7:55PM on 3-24-2007
shoot, comments don't support HTML with img src tag. check this out, the actual screenshot from the recent build of Leopard.
http://img227.imageshack.us/img227/7002/sssmr7.jpg
they are not axed, but now you can disable it.
Reply
app4mac.com said 7:59PM on 3-24-2007
We make two Inputs Managers for Mac OS X. CutX Content Filter and RapidoWrite and we hope to see Apple keeping this feature.
Reply
Kol. Panic said 8:49PM on 3-24-2007
I've always thought of input managers as kind of dangerous. They've strayed far from their original purpose - providing alternative means of text input- and they've become a significant potential vector for malware. Indeed, while there haven't been any reports of in-the-wild infections, the two proof-of-concept Mac OS X trojans I've heard of use input managers. I, for one, think it's about time they're gone. However, an official plug-in architecture for apps like Safari would be a nice replacement.
Reply
Serge said 10:47PM on 3-24-2007
No Saft, bye bye Safari, hello Camino (or Firefox, Omniweb, anything else).
Reply
Simon Arch said 11:02PM on 3-24-2007
Alexmak, where did you find that screenshot? The grammar and formatting were atrocious. It's hard to believe Apple would put out a product with a message like that, even in a beta.
Reply
Rosyna said 1:03AM on 3-25-2007
Simon Arch, no kidding. What is a functionality? Why would a user care about Cocoa or not?
Also, http://developer.apple.com/documentation/Cocoa/Reference/ApplicationKit/Classes/NSInputManager_Class/Reference/Reference.html
Reply
Anon said 1:51AM on 3-25-2007
I don't understand why people use a separate ad-blocking plugin for every browser when the awesome Privoxy (http://www.privoxy.org) does so much more and will work in every browser.
Reply
Hervé S. said 4:33AM on 3-25-2007
Anon, the Privoxy url you give points to an ad site; to download Privoxy (of which I'm an extremely happy user) go to http://sourceforge.net/projects/ijbswa ...
Privoxy has this excellent feature that you can use it with any app browsing, for instance I am working now from my RSS reader's html viewer, with ads filtered even though the developer never thougt of it...
Hervé
Reply
Nick said 4:37AM on 3-25-2007
"There's a disturbing rumor floating around the Mac web today."
Oh, yes, it's disturbing, indeed, to hear that a security hole in the OS is likely to be closed.
Good grief.
Reply
JeffDM said 1:00PM on 3-25-2007
Security hole? Can an Input Manager even be installed without the operating system warning the user?
Reply
Jesse Gillespie said 1:36PM on 3-25-2007
System-wide input managers require a warning, but they can be installed for individual users with just user privileges. It wouldn't be too hard to have a warning for that too though...
Personally, I'm a little bummed to see spellchecker and textpander, two apps I rely on a lot, may not be possible in Leopard...
Reply
MatzeLoCal said 4:22AM on 3-26-2007
I would welcome it, if Apple kicks input managers out of OS X. I already "disabled" inputer managers and if an app wants to install a input manager, I will avoid it.
The idea behind Input Managers was ok, but the have been used in the wrong way.
Reply
Mo said 9:20AM on 3-26-2007
Input Managers are effectively a drag-and-drop means of something that's only marginally more difficult to do another way (and even then it's trivial, especially if you're in the game of producing malware). Mac OS X's dynamic linker, just like most Unix/Unix-like operating systems, has the facility to preload or insert additional dynamic libraries. On Darwin and friends, it's the DYLD_INSERT_LIBRARIES environment variable (which of course applies to everything, not just Cocoa apps); on Linux and Solaris (and possibly the BSDs), it's LD_PRELOAD. Granted, there's no specific hook callback mechanism, but most of the really useful Input Managers seem to use the system as a means of shoehorning themselves into the application's memory space, which is all DYLD_INSERT_LIBRARIES does for you.
I don't know (because I've not tested it yet) whether DYLD_INSERT_LIBRARIES can be set via environment.plist: Apple would have had to specifically prevented it if it can't. If it can, there's your install vector right there; instead of copying a file in place, you have to copy a file in place and update a property list. Given most Input Manager hacks come with installers already, there's not a huge difference from an end-user perspective (and it's not noticeably more difficult for a malware author).
Reply
Jim Hillhouse said 3:51PM on 3-26-2007
About time that this hack to Input Manager is being sealed.
I'm sorry if this hurts a few of you, but the fact that coders do this against EVERYTHING Apple tells them is for this programmer unacceptable. All such security issues should be terminated, period.
Keep it coming, Apple!!!
Reply