Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

Mark Doliner mark at kingant.net
Mon Aug 8 01:54:06 EDT 2011


Does this sound accurate to everyone?
* We shouldn't prompt the user "are you sure?" when they click a file:// link.
* We're ok with the "open" action for file:// links opening a file
explorer window at the given location.
* We like Eion's patch.
* We don't need to be concerned about any other URI handlers.
* We can bundle this fix with the other security fixes we'll need to
release sometime in the next week or two.
* We should not release info about this issue publicly until after we
release a version of Pidgin with Eion's patch.
* We don't need a CVE# for this issue because we're not actually doing
anything wrong (we're just making it easier for the user to do
something dumb).

--Mark


More information about the security mailing list