Should libpurple trust IM servers?
bleeter at gmail.com
Tue Apr 9 04:00:23 EDT 2013
On 09/04/13 17:45, Mark Doliner wrote:
> We've had several security problems in libpurple due to PRPLs
> implicitly trusting the data given to us by various IM networks. I
> want to bring up this issue to make sure we're all on the same page,
> and so we have clear conventions in place.
The only IM server libpurple should trust is the one sitting on the same
machine as the server, where the server and libpurple are under the
control of a single user (though I don't mean Unix user, a libpurple
user should have their own login and the IM server running as it's own
userid, but I digress slightly) when it's a fresh install and no network
has been connected.
More information about the Devel