Potential security issue: Yahoo authorisation requests with invalid encoding

Mark Doliner mark at kingant.net
Fri Dec 28 16:45:48 EST 2012


(+to Sulabh, who has done some work on our Yahoo! protocol plugin.)

On Mon, Sep 24, 2012 at 8:52 AM, Ethan Blanton <elb at pidgin.im> wrote:
> The fix for this particular crash is easy, although I'm not sure
> whether the incoming message should be sanitized with
> yahoo_string_decode or purple_utf8_salvage

I don't know the answer, but since the code currently treats the
strings as utf8 it seems reasonable to use purple_utf8_salvage.

> However, in looking through
> the yahoo prpl, it looks likely to me that there are a LOT of places
> where this is likely to be a problem.  As an example, in the very same
> notification messages, the incoming nickname fields are not sanitized.

If anyone is interested in working on this in the next day or two let
me know, otherwise I'll take a stab at it and send out a patch for
review.


More information about the security mailing list