Should libpurple trust IM servers?

Peter Lawler bleeter at
Tue Apr 9 04:00:23 EDT 2013

On 09/04/13 17:45, Mark Doliner wrote:
> We've had several security problems in libpurple due to PRPLs
> implicitly trusting the data given to us by various IM networks.  I
> want to bring up this issue to make sure we're all on the same page,
> and so we have clear conventions in place.
The only IM server libpurple should trust is the one sitting on the same 
machine as the server, where the server and libpurple are under the 
control of a single user (though I don't mean Unix user, a libpurple 
user should have their own login and the IM server running as it's own 
userid, but I digress slightly) when it's a fresh install and no network 
has been connected.



More information about the Devel mailing list