Should libpurple trust IM servers?

Mark Doliner mark at kingant.net
Tue Apr 9 03:45:43 EDT 2013


We've had several security problems in libpurple due to PRPLs
implicitly trusting the data given to us by various IM networks.  I
want to bring up this issue to make sure we're all on the same page,
and so we have clear conventions in place.

The short answer to "Should libpurple trust IM servers?" is "no."

The long answer is a little more complicated.

There are some things where we have no choice but to trust the server:
the contents of your buddy list, which buddies are online, your
buddies status messages, incoming IMs, etc.

But we should not trust the server when it comes to things that could
harm the user's computer.  For example, we should not assume the
server will send us well-formed data and so we must always check for
possible buffer overflows.  We should guard against potential
nul-pointer dereferences.  If we write to a file based on a string
given to us by the server, we must check that string to make sure it
doesn't contain things like "../../../../../etc/passwd"  We should not
exec arbitrary commands that come in over the network.




More information about the Devel mailing list