Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

Mark Doliner mark at
Thu Aug 18 04:30:05 EDT 2011

On Sun, Aug 7, 2011 at 11:01 PM, Mark Doliner <mark at> wrote:
> One other question.  Should we be concerned about this issue on Linux,
> too?  For something like a file:// URI to a file on an NFS or AFS
> share?  Maybe a file on an auto-mounted NFS or SMB share...?

To answer my own question... there are a few ways we open file:///
URLs on Linux:
* gnome-open file://blah - Tries to open a file browser at the given location
* kfmclient openURL file://blah - I didn't test, but it seems like
it'll try to open a browser at the given location
* purple_notify_uri(NULL, file://blah) - Uses whatever browser you've
configured in Pidgin.  I suppose this could be something that executes
the file... but that seems unlikely.

I don't know, it doesn't seem worth worrying about to me.


More information about the security mailing list