Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

Jorge Villaseñor salinasv at
Thu Jul 21 14:21:21 EDT 2011

On Thu, Jul 21, 2011 at 1:01 PM, Daniel Atallah
<daniel.atallah at> wrote:
> On Wed, Jul 20, 2011 at 23:58, James Burton
> <james.burton at> wrote:
>> Security at,
>> Please find the advisory detailing the vulnerability attached to this
>> email.
>> Please keep in touch regarding a fix so I can include the relevant
>> information in my advisory which I intend to release to the public in a
>> month from now. If more time is required please let me know.
>> Warm Regards
> Thanks for the report.
> The functionality that handles "file://" URIs is intended to handle
> links that are generated by Pidgin itself (links to files after file
> transfer is complete).
> I guess a solution could be to be to make it so that only handles
> file:// URIs that we generate - I'm not sure how hard that's going to
> be to implement.
> Another option would be to prompt the user to confirm that they want
> to open the URI.

I don't think that prompting the user to confirm an action started by
him is a good idea (It comes to my head windows asking you if you
really want to execute the program you just double-clicked).

I think that can be handled by the imhtml renderer.

> I wasn't able to find any good documentation that outlined how others
> have dealt with this type of thing - are you aware of any such
> documentation?
> Thanks,
> Daniel
> _______________________________________________
> security mailing list
> security at


A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

More information about the security mailing list