Remote crash

Eion Robb eion at robbmob.com
Wed Jan 16 15:17:15 EST 2013


Since we ship our own libpango, are we better off taking a crack at fixing
the bug, rather than working around it?
I mean, if we were to go to the effort of sanitising everywhere that we
receive user input (buddy name, alias, chat messages, im messages, topic,
Get Info, notify windows, text input areas)....

On 17 January 2013 04:30, Ethan Blanton <elb at pidgin.im> wrote:

> Daniel Atallah spake unto us the following wisdom:
> > > I'm wondering if GtkIMHtml should filter stuff on the way through, in
> > > Windows?  It sounds like maybe that's not perfect protection (I assume
> > > you'd just have to put such a string in an invite or similar), but
> > > it'd avoid channel-clearing etc.
> >
> > Yes, I've been meaning to do something like this.  I have an
> > incomplete patch that sanitizes problematic characters out of strings
> > (similar to what the plugin does).
> > I was hoping for a more central location to do this rather than for
> > GtkIMHtml, but that may not exist.
>
> What about pidgin_utf8_salvage() and the associated conversion
> functions?  On Windows, those could perform another pass to sanitize
> the string.  It's ugly and kind of expensive, but maybe not as
> crashy-crashy?
>
> Ethan
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130117/bab53884/attachment.html>


More information about the security mailing list