Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability
Eion Robb
eion at robbmob.com
Thu Jul 28 02:01:50 EDT 2011
Attached is a potential fix that will intercept file:// uri's and focus them
in the Windows explorer. Can someone kindly review :)
On 23 July 2011 18:28, Paul Aurich <paul at darkrain42.org> wrote:
> And Daniel Atallah spoke on 07/22/2011 06:55 PM, saying:
> > It doesn't seem reasonable for us to try to evaluate and decide what is
> > safe or not for each scheme - we're going to get it wrong or be overly
> > restrictive - this is a problem that the browser folks have clearly
> > had to spend a lot of time thinking about, so why wouldn't we leverage
> > that work?
> >
> > To be clear, I'm not suggesting that the current file:// handling
> > isn't a problem.
> >
> > Am I completely off base here?
>
> No. I think we're in agreement on this.
>
> ~Paul
>
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110728/12e3e321/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gtkutils_windows_file_vuln_fix.diff
Type: application/octet-stream
Size: 1041 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110728/12e3e321/attachment.obj>
More information about the security
mailing list