Command injection through URL in Pidgin

Tomasz Wasilczyk tomkiewi at
Mon Jun 10 07:20:23 EDT 2013

2013/6/10 Mark Doliner <mark at>:
> On Sun, Jun 9, 2013 at 12:16 PM, Ethan Blanton <elb at> wrote:
>> I think we have resolved that this is not a security issue from the
>> Pidgin side, but that there are some helpful changes we can make to
>> our URL-handling code to make it less likely that such bugs will
>> affect others in the future.  Unless anyone has any objections, I
>> suggest that we go ahead and make those changes (move to g_sync_spawn
>> or equivalent, URL-encode URL characters other than a shell safelist
>> similar to [A-Za-z0-9_:/.,+-]), but that they are not put on a fast
>> track or embargoed.  Thoughts?
> I agree with this.  Tomasz, are you comfortable including this as part
> of your security work?
> Also I suggest committing the fixes to the release-2.x.y branch of the
> ssh:// repository.  I don't think we need to
> request a CVE for this, but we might as well wait to make the changes
> public until we release 2.10.8.

I'll handle this.


More information about the security mailing list