Command injection through URL in Pidgin
mark at kingant.net
Mon Jun 10 01:03:35 EDT 2013
On Sun, Jun 9, 2013 at 12:16 PM, Ethan Blanton <elb at pidgin.im> wrote:
> I think we have resolved that this is not a security issue from the
> Pidgin side, but that there are some helpful changes we can make to
> our URL-handling code to make it less likely that such bugs will
> affect others in the future. Unless anyone has any objections, I
> suggest that we go ahead and make those changes (move to g_sync_spawn
> or equivalent, URL-encode URL characters other than a shell safelist
> similar to [A-Za-z0-9_:/.,+-]), but that they are not put on a fast
> track or embargoed. Thoughts?
I agree with this. Tomasz, are you comfortable including this as part
of your security work?
Also I suggest committing the fixes to the release-2.x.y branch of the
ssh://hg.pidgin.im/private/main repository. I don't think we need to
request a CVE for this, but we might as well wait to make the changes
public until we release 2.10.8.
More information about the security