Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability
Daniel Atallah
daniel.atallah at gmail.com
Thu Jul 21 14:01:18 EDT 2011
On Wed, Jul 20, 2011 at 23:58, James Burton
<james.burton at insomniasec.com> wrote:
> Security at Pidgin.im,
>
> Please find the advisory detailing the vulnerability attached to this
> email.
>
> Please keep in touch regarding a fix so I can include the relevant
> information in my advisory which I intend to release to the public in a
> month from now. If more time is required please let me know.
>
> Warm Regards
Thanks for the report.
The functionality that handles "file://" URIs is intended to handle
links that are generated by Pidgin itself (links to files after file
transfer is complete).
I guess a solution could be to be to make it so that only handles
file:// URIs that we generate - I'm not sure how hard that's going to
be to implement.
Another option would be to prompt the user to confirm that they want
to open the URI.
I wasn't able to find any good documentation that outlined how others
have dealt with this type of thing - are you aware of any such
documentation?
Thanks,
Daniel
More information about the security
mailing list