Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability
daniel.atallah at gmail.com
Wed Aug 3 19:45:03 EDT 2011
On Thu, Jul 28, 2011 at 02:01, Eion Robb <eion at robbmob.com> wrote:
> Attached is a potential fix that will intercept file:// uri's and focus them
> in the Windows explorer. Can someone kindly review :)
The patch looks like it'll do the trick of preventing file:// URIs
from being opened at the cost (as discussed) of making file transfer
result links not able to be opened directly.
I think this is an appropriate solution.
> On 23 July 2011 18:28, Paul Aurich <paul at darkrain42.org> wrote:
>> And Daniel Atallah spoke on 07/22/2011 06:55 PM, saying:
>> > It doesn't seem reasonable for us to try to evaluate and decide what is
>> > safe or not for each scheme - we're going to get it wrong or be overly
>> > restrictive - this is a problem that the browser folks have clearly
>> > had to spend a lot of time thinking about, so why wouldn't we leverage
>> > that work?
>> > To be clear, I'm not suggesting that the current file:// handling
>> > isn't a problem.
>> > Am I completely off base here?
>> No. I think we're in agreement on this.
>> security mailing list
>> security at pidgin.im
> security mailing list
> security at pidgin.im
More information about the security