Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

Daniel Atallah daniel.atallah at gmail.com
Wed Aug 3 19:45:03 EDT 2011


On Thu, Jul 28, 2011 at 02:01, Eion Robb <eion at robbmob.com> wrote:
> Attached is a potential fix that will intercept file:// uri's and focus them
> in the Windows explorer.  Can someone kindly review :)

The patch looks like it'll do the trick of preventing file:// URIs
from being opened at the cost (as discussed) of making file transfer
result links not able to be opened directly.

I think this is an appropriate solution.


> On 23 July 2011 18:28, Paul Aurich <paul at darkrain42.org> wrote:
>>
>> And Daniel Atallah spoke on 07/22/2011 06:55 PM, saying:
>> > It doesn't seem reasonable for us to try to evaluate and decide what is
>> > safe or not for each scheme - we're going to get it wrong or be overly
>> > restrictive - this is a problem that the browser folks have clearly
>> > had to spend a lot of time thinking about, so why wouldn't we leverage
>> > that work?
>> >
>> > To be clear, I'm not suggesting that the current file:// handling
>> > isn't a problem.
>> >
>> > Am I completely off base here?
>>
>> No.  I think we're in agreement on this.
>>
>> ~Paul
>>
>>
>> _______________________________________________
>> security mailing list
>> security at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/security
>
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security
>


More information about the security mailing list