Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

Daniel Atallah daniel.atallah at
Thu Jul 21 14:01:18 EDT 2011

On Wed, Jul 20, 2011 at 23:58, James Burton
<james.burton at> wrote:
> Security at,
> Please find the advisory detailing the vulnerability attached to this
> email.
> Please keep in touch regarding a fix so I can include the relevant
> information in my advisory which I intend to release to the public in a
> month from now. If more time is required please let me know.
> Warm Regards

Thanks for the report.

The functionality that handles "file://" URIs is intended to handle
links that are generated by Pidgin itself (links to files after file
transfer is complete).

I guess a solution could be to be to make it so that only handles
file:// URIs that we generate - I'm not sure how hard that's going to
be to implement.
Another option would be to prompt the user to confirm that they want
to open the URI.

I wasn't able to find any good documentation that outlined how others
have dealt with this type of thing - are you aware of any such


More information about the security mailing list