Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

Paul Aurich paul at darkrain42.org
Sat Jul 23 02:28:19 EDT 2011


And Daniel Atallah spoke on 07/22/2011 06:55 PM, saying:
> It doesn't seem reasonable for us to try to evaluate and decide what is
> safe or not for each scheme - we're going to get it wrong or be overly
> restrictive - this is a problem that the browser folks have clearly
> had to spend a lot of time thinking about, so why wouldn't we leverage
> that work?
> 
> To be clear, I'm not suggesting that the current file:// handling
> isn't a problem.
> 
> Am I completely off base here?

No.  I think we're in agreement on this.

~Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110722/27676fe1/attachment.pgp>


More information about the security mailing list