Should libpurple trust IM servers?
Peter Lawler
bleeter at gmail.com
Tue Apr 9 04:00:23 EDT 2013
On 09/04/13 17:45, Mark Doliner wrote:
> We've had several security problems in libpurple due to PRPLs
> implicitly trusting the data given to us by various IM networks. I
> want to bring up this issue to make sure we're all on the same page,
> and so we have clear conventions in place.
<snip>
The only IM server libpurple should trust is the one sitting on the same
machine as the server, where the server and libpurple are under the
control of a single user (though I don't mean Unix user, a libpurple
user should have their own login and the IM server running as it's own
userid, but I digress slightly) when it's a fresh install and no network
has been connected.
Ever.
Pete.
More information about the Devel
mailing list